Cloud-y Linux Malware Rains on Apache, Docker, Redis & Confluence

We Keep you Connected

Cloud-y Linux Malware Rains on Apache, Docker, Redis & Confluence

"Spinning YARN" cyberattackers wielding a Linux webshell are positioning for broader cloud compromise by exploiting common misconfigurations and a known Atlassian Confluence bug.
March 6, 2024
Researchers have spotted a concerted cyber compromise campaign targeting cloud servers running vulnerable instances of Apache Hadoop, Atlassian Confluence, Docker, and Redis. The attackers are dropping a cryptomining tool, but also installing a Linux-based reverse shell that would allow potential future targeting and malware infestations.
According to an analysis from Cado Security, in most cases the adversary is hunting for common cloud misconfigurations to exploit. But, it has also been using an older remote code execution (RCE) vulnerability in Confluence server (CVE-2022-26134) in its ongoing campaign.
The researchers also said the attackers' tactics overlap with TeamTNT and WatchDog, two threat groups known for targeting cloud and container environments.
"The attacks are relatively hard-coded and automated, so they look for known vulnerabilities in Confluence and other platforms and well-known misconfigurations in platforms like Redis and Docker," says Chris Doman, co-founder and CTO at Cado Security.
Identifying these vulnerable instances is often simple, based on scanning as a first step and attacking identified vulnerable instances as a second step. "Avoiding these issues is often about fixing the low-hanging fruit — making sure systems are patched or at least not Internet accessible."
Cado Security researchers have dubbed the campaign Spinning YARN, after Apache Hadoop's "Yet Another Resource Negotiator" cluster resource management layer. They discovered it when investigating a flurry of initial access activity on one of Cado's Docker honeypots. Their analysis led to the discovery of four previously unknown Golang binaries that the threat actor is using to automate the discovery and compromise of servers running the four cloud platforms.
Cado researchers also found the threat actor deploying multiple other unique payloads, including Platypus (an open source reverse shell utility for maintaining persistence), and two user-mode rootkits for obfuscating malicious processes.
"Once initial access is achieved, a series of shell scripts and general Linux attack techniques are used to deliver a cryptocurrency miner, spawn a reverse shell, and enable persistent access to the compromised hosts," the firm said in a blog post this week. 
The ongoing campaign is the latest manifestation of the time and effort that threat actors appear to be putting into understanding vulnerabilities in Web-facing services in cloud environments, and figuring out ways to exploit them for initial access, the security vendor said. Just since the beginning of 2024, Cado's researchers have observed a total of three campaigns — including the latest one — in which a threat actor has exploited Docker for initial access to an organization's broader cloud environment, the company noted.
Many of these attacks have involved attempts to deploy cryptominers. Earlier this year, researchers from Aqua Nautilus reported on a threat actor exploiting two known misconfigurations in Hadoop YARN and Flink to drop a miner for Monero cryptocurrency. That campaign, like the one that Cado reported this week, involved the use of rootkits, system configuration modifications, packed ELF binaries, and other methods to evade detection. Last year, Aqua researchers uncovered another campaign where a threat actor infected over 1,200 Redis servers with a cryptominer via an almost undetectable malware tool they dubbed "HeadCrab."
In the attack on Cado's Docker honeypot, the threat actors issued a Docker command from a US-based IP address that spawned a new container with a configuration that allowed the container to access and interact with files and directories on the underlying host system. It's a method that adversaries commonly use in Docker attacks because it allows them to write files to the host system, or to essentially conduct an RCE attack, Cado said.
In this particular instance, the attackers deployed the tactic to write a shell script function that established contact with a remote command and control (C2) server, and then retrieved a first stage payload from it. 
The function of the first stage payload is to define the C2 for additional payloads and check for the presence of chattr, a Linux tool for modifying file and directory attributes. If the tool is present, the initial payload renames it. If it is not, the malware installs chattr on the compromised system and then renames it, Cado said. That primary or first-stage payload then retrieves the next payload after first verifying if the current user of the system has admin access.
The second-stage payload's functions include softening the system for additional compromise by, among other things, running commands for disabling firewalls and IP filter rules, deleting shell history, disabling access control functions, and removing any restrictions on outbound DNS requests.
The second stage shell script also takes various anti-forensic measures such as installing two user mode rootkits for hiding malicious activities, and ensuring that malicious commands do not show up in the history file. It also downloads Platypus for persistent access and the XMRig cyptominer for Monero.
The attack chain also includes shell scripts to search for and delete Docker images from Ubuntu or Alpine repositories, and for downloading and persisting multiple other binary payloads on compromised systems.
Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
AI-Driven Testing: Bridging the Software Automation Gap
The Rise of the No-Code Economy
Gcore Radar
Secure Access for Operational Technology at Scale
Threat Intelligence: Data, People and Processes
Building Cyber Resiliency: Key Strategies for Proactive Security Operations
Migrations Playbook for Saving Money with Snyk + AWS
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.