HomeCII/OTLinux Malware Targets Apache, Docker, Redis, and Confluence in Cloud-Based Attacks

Linux Malware Targets Apache, Docker, Redis, and Confluence in Cloud-Based Attacks

Published on

spot_img

Researchers have identified a coordinated cyber compromise campaign targeting vulnerable cloud servers running instances of various platforms such as Apache Hadoop, Atlassian Confluence, Docker, and Redis. The attackers behind this campaign have been observed dropping a cryptomining tool and installing a Linux-based reverse shell, which could potentially lead to future malware infestations and targeted attacks.

According to Cado Security, the attackers are primarily exploiting common cloud misconfigurations to gain access to the vulnerable servers. Additionally, they are also exploiting an older remote code execution vulnerability (CVE-2022-26134) in Confluence server as part of their ongoing campaign. The tactics used by the attackers have similarities with the activities of threat groups like TeamTNT and WatchDog, who are known for targeting cloud and container environments.

Chris Doman, the co-founder and CTO of Cado Security, emphasized that the attacks are highly automated and look for known vulnerabilities in Confluence and other platforms, as well as common misconfigurations in platforms like Redis and Docker. The identification of vulnerable instances is often done through scanning, followed by exploiting the identified vulnerabilities. Doman suggested that addressing these issues involves patching systems and ensuring they are not exposed to the internet.

The campaign has been named Spinning YARN by Cado Security researchers, inspired by Apache Hadoop’s “Yet Another Resource Negotiator” cluster resource management layer. The researchers discovered the campaign while investigating suspicious activity on one of their Docker honeypots, leading them to identify four previously unknown Golang binaries used by the threat actor to automate server discovery and compromise.

In addition to deploying a cryptocurrency miner, the threat actor has been using various unique payloads such as Platypus for maintaining persistence, user-mode rootkits for obfuscating malicious processes, and other malicious tools for escalating the attack. Once initial access is achieved, the attackers use shell scripts and Linux attack techniques to establish persistent access to compromised hosts.

This ongoing campaign is indicative of the increasing efforts by threat actors to exploit vulnerabilities in web-facing services in cloud environments for initial access. Cado Security reported observing multiple campaigns since the beginning of the year where Docker was exploited as the entry point for broader attacks on cloud environments. Many of these attacks involve the deployment of cryptominers and various evasion techniques to avoid detection.

The attack chain observed in the campaign against Cado’s Docker honeypot involved issuing a Docker command from a US-based IP address to spawn a container with configurations that allowed interaction with the host system. The attackers used this method to write a shell script establishing contact with a remote command and control server and retrieving payloads for further compromise. The attack chain includes multiple stages, with payloads for setting up persistence, compromising the system, evading detection, and deploying cryptomining tools.

Overall, the Spinning YARN campaign highlights the persistent threat posed by cyber attackers targeting cloud environments and underscores the importance of addressing vulnerabilities and misconfigurations to prevent unauthorized access and data compromise. Organizations are encouraged to implement security measures to protect their cloud infrastructure and mitigate the risks associated with cloud-based attacks.

Source link

Latest articles

AI Bug-Finding Tools Require Human Validation

The Role of AI in Offensive Security: Balancing Speed with Human Insight In an evolving...

AWS Billing Bug Shows Trillion-Dollar Cost Estimates to Cloud Customers

Amazon Web Services Faces Major Billing Anomaly in Cost Explorer Tool Amazon Web Services (AWS)...

Scammers Exploit FaceTime for Social Engineering Tactics

Apple Warns Users About Social Engineering Scams Targeting FaceTime Apple Inc. has made a significant...

Hackers Compromise IIS Server and Launch Ransomware Attack Within 24 Hours

--- In June 2026, cybersecurity experts uncovered a coordinated and sophisticated cyber intrusion that began...

More like this

AI Bug-Finding Tools Require Human Validation

The Role of AI in Offensive Security: Balancing Speed with Human Insight In an evolving...

AWS Billing Bug Shows Trillion-Dollar Cost Estimates to Cloud Customers

Amazon Web Services Faces Major Billing Anomaly in Cost Explorer Tool Amazon Web Services (AWS)...

Scammers Exploit FaceTime for Social Engineering Tactics

Apple Warns Users About Social Engineering Scams Targeting FaceTime Apple Inc. has made a significant...