Mirai botnet exploiting Hadoop vulnerability on Linux servers: Report

Since its discovery in the summer of 2016 variations of the Mirai botnet, which infects and chains Internet-connected surveillance cameras and routers to spread malware and launch distributed denial of service attacks, have been a thorn in the side of CISOs.

Now they have another worry: A variant that targets vulnerable Linux servers for hosting DDoS and Monero cryptomining software.

“Mirai is no longer solely targeting IoT devices,” say researchers from Netscout in a blog released Wednesday. “While the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it’s much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices.”

The bot is looking particularly for servers open to what is called the YARN vulnerability in the open source Hadoop framework for distributed storage. According to security vendor ExtraHop, YARN (short for Yet Another Resource Negotiator)provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform. The exploit is a command injection flaw that allows the attacker to execute arbitrary shell commands. According to a column earlier this month by a Radware researcher, there are still about 1,000 vulnerable servers all over the world.

Radware detected nearly 12 million exploit attempts from the U.S. on its detection network between September and the middle of this month Great Britain and Italy each were responsible for 6 million attempts, closely followed by Germany with 4.8 million attempts.  Radware’s U.K. and Germany honeypots were hit twice as hard compared to the rest of the world. The average numbers for each region were between 1.6 and 3.2 million attempted exploits at the time, although the attempt rate has been slowing to a mere 350,000 a day as of Nov. 15.

Judging by the limited number of sources Netscout has seen continually scanning for the Hadoop YARN vulnerability, its researchers suspect a small group of attackers are behind this campaign. “Their goal is clear – to install the malware on as many devices as possible. Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords. What’s different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers.”

ExtraHop noted the ability to remotely execute arbitrary code without authentication in a Hadoop cluster from the public internet can very easily become a mechanism for stealing or destroying large volumes of sensitive data. “No domain from the public internet should be issuing shell commands against your Hadoop clusters,” says ExtraHop. “If that’s happening, your security team needs to know right away.”

Remote command execuction exploits against the YARN REST API can in part by checked by strong protections around who and what can access data in Hadoop stores, and especially around which new applications can use YARN to tap data and resources in Hadoop, ExtraHop said.

See also this note from Apache on YARN security.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now