Researchers have identified a coordinated cyber compromise campaign targeting vulnerable cloud servers running instances of various platforms such as Apache Hadoop, Atlassian Confluence, Docker, and Redis. The attackers behind this campaign have been observed dropping a cryptomining tool and installing a Linux-based reverse shell, which could potentially lead to future malware infestations and targeted attacks.

According to Cado Security, the attackers are primarily exploiting common cloud misconfigurations to gain access to the vulnerable servers. Additionally, they are also exploiting an older remote code execution vulnerability (CVE-2022-26134) in Confluence server as part of their ongoing campaign. The tactics used by the attackers have similarities with the activities of threat groups like TeamTNT and WatchDog, who are known for targeting cloud and container environments.

Chris Doman, the co-founder and CTO of Cado Security, emphasized that the attacks are highly automated and look for known vulnerabilities in Confluence and other platforms, as well as common misconfigurations in platforms like Redis and Docker. The identification of vulnerable instances is often done through scanning, followed by exploiting the identified vulnerabilities. Doman suggested that addressing these issues involves patching systems and ensuring they are not exposed to the internet.

The campaign has been named Spinning YARN by Cado Security researchers, inspired by Apache Hadoop’s “Yet Another Resource Negotiator” cluster resource management layer. The researchers discovered the campaign while investigating suspicious activity on one of their Docker honeypots, leading them to identify four previously unknown Golang binaries used by the threat actor to automate server discovery and compromise.

In addition to deploying a cryptocurrency miner, the threat actor has been using various unique payloads such as Platypus for maintaining persistence, user-mode rootkits for obfuscating malicious processes, and other malicious tools for escalating the attack. Once initial access is achieved, the attackers use shell scripts and Linux attack techniques to establish persistent access to compromised hosts.

This ongoing campaign is indicative of the increasing efforts by threat actors to exploit vulnerabilities in web-facing services in cloud environments for initial access. Cado Security reported observing multiple campaigns since the beginning of the year where Docker was exploited as the entry point for broader attacks on cloud environments. Many of these attacks involve the deployment of cryptominers and various evasion techniques to avoid detection.

The attack chain observed in the campaign against Cado’s Docker honeypot involved issuing a Docker command from a US-based IP address to spawn a container with configurations that allowed interaction with the host system. The attackers used this method to write a shell script establishing contact with a remote command and control server and retrieving payloads for further compromise. The attack chain includes multiple stages, with payloads for setting up persistence, compromising the system, evading detection, and deploying cryptomining tools.

Overall, the Spinning YARN campaign highlights the persistent threat posed by cyber attackers targeting cloud environments and underscores the importance of addressing vulnerabilities and misconfigurations to prevent unauthorized access and data compromise. Organizations are encouraged to implement security measures to protect their cloud infrastructure and mitigate the risks associated with cloud-based attacks.

Source link