Lucifer Botnet Turns Up the Heat on Apache Hadoop Servers

  /     /     /  
Publicated : 23/11/2024   Category : security


Lucifer Botnet Turns Up the Heat on Apache Hadoop Servers


More than 3,000 unique attacks hitting Hadoop and Druid honeypots in just the past month indicate an attacker testing phase, portending fire and brimstone to come.



A threat actor is targeting organizations running Apache Hadoop and Apache Druid big data technologies with a new version of the Lucifer botnet, a known malware tool that combines cryptojacking and distributed denial of service (DDoS) capabilities.
The campaign is a departure for the botnet, and an analysis this week from Aqua Nautilus suggests that its operators are testing new infection routines as a precursor to a broader campaign.
Lucifer is self-propagating malware that researchers at Palo Alto Networks first reported in May 2020. At the time, the company described the
threat as dangerous hybrid malware
that an attacker could use to enable DDoS attacks, or for dropping XMRig for mining Monero cryptocurrency. Palo Alto said it had
observed attackers also using Lucifer
to drop the NSAs leaked
EternalBlue, EternalRomance, and DoublePulsar
malware and exploits on target systems.
Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms, Palo Alto had warned at the time.
Now, its back and targeting Apache servers. Researchers from Aqua Nautilus who have been monitoring the campaign
said in a blog this week
they had counted more than 3,000 unique attacks targeting the companys Apache Hadoop, Apache Druid, and Apache Flink honeypots in just the last month alone.
The campaign has been ongoing for at least six months, during which time the attackers have been attempting to exploit known misconfigurations and vulnerabilities in the open source platforms to deliver their payload.
The campaign so far has been comprised of three distinct phases, which the researchers said is likely an indication that the adversary is testing defense evasion techniques before a full-scale attack.
The campaign began targeting our honeypots in July, says Nitzan Yaakov, security data analyst at Aqua Nautilus. During our investigation, we observed the attacker updating techniques and methods to achieve the main goal of the attack — mining cryptocurrency.
During the first stage of the new campaign, Aqua researchers observed the attackers scanning the Internet for misconfigured Hadoop instances. When they detected a misconfigured Hadoop YARN (Yet Another Resource Negotiator) cluster resource management and job scheduler technology on Aquas honeypot, they targeted that instance for exploit activity. The misconfigured instance on Aquas honeypot had to do with Hadoop YARNs resource manager and gave the attackers a way to execute arbitrary code on it via a specially crafted HTTP request.
The attackers exploited the misconfiguration to download Lucifer, execute it and store it to the Hadoop YARN instances local directory. They then ensured the malware was executed on a scheduled basis to ensure persistence. Aqua also observed the attacker deleting the binary from the path where it was initially saved to try and evade detection.
In the second phase of attacks, the threat actors once again targeted misconfigurations in the Hadoop big-data stack to try and gain initial access. This time, however, instead of dropping a single binary, the attackers dropped two on the compromised system — one which executed Lucifer and the other which apparently did nothing.
In the third phase, the attacker switched tactics and, instead of targeting misconfigured Apache Hadoop instances, began looking for vulnerable Apache Druid hosts instead. Aquas version of the Apache Druid service on its honeypot was unpatched against
CVE-2021-25646
, a command injection vulnerability in certain versions of the high-performance analytics database. The vulnerability gives authenticated attackers a way to execute user-defined JavaScript code on affected systems.
The attacker exploited the flaw to inject a command for downloading two binaries and enabling them with read, write, and execute permissions for all users, Aqua said. One of the binaries initiated the download of Lucifer, while the other executed the malware. In this phase, the attackers decision to split the downloading and execution of Lucifer between two binary files appears to have been an attempt to bypass detection mechanisms, the security vendor noted.
Ahead of a potential coming wave of attacks against Apache instances, enterprises should review their footprints for common misconfigurations, and ensure all patching is up-to-date.
Beyond that, the researchers noted that unknown threats can be identified by scanning your environments with runtime detection and response solutions, which can detect exceptional behavior and alert about it, and that it is important to be cautious and aware of existing threats while using open-source libraries. Every library and code should be downloaded from a verified distributor.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Lucifer Botnet Turns Up the Heat on Apache Hadoop Servers