HomeRisk ManagementsNew payloads targeting Docker, Hadoop, Confluence, and Redis

New payloads targeting Docker, Hadoop, Confluence, and Redis

Published on

spot_img

A recent attack campaign has been identified, targeting publicly accessible Docker, Hadoop, Confluence, and Redis deployments. The attackers are exploiting common misconfigurations and known vulnerabilities in these systems. According to researchers at Cado Security, the attackers are deploying previously unseen payloads, including four binaries written in Golang.

The attack campaign involves a series of shell scripts and general Linux attack techniques that are used to deliver a cryptocurrency miner, spawn a reverse shell, and enable persistent access to compromised hosts. Although attribution cannot be definitively made, the shell scripts observed in the campaign bear similarities to those used by known threat actors TeamTNT and WatchDog in the past.

The complexity of the infection chain in this campaign is notable, with over 10 shell scripts and various binaries involved. The attackers employ multiple persistence mechanisms, backup payload delivery methods, anti-forensics techniques, user mode rootkits, network scanning tools, and exploits. The initial observation of the attack was made on a Docker honeypot intentionally configured insecurely by Cado Security. The attackers connected to the Docker Engine API, created a new container based on Alpine Linux, and mounted the host’s root file system to a temporary directory inside the container.

This technique, while not new, is commonly used in Docker attacks to execute malicious actions on the host system. In this campaign, the attackers wrote a file to the /usr/bin/vurl path and created a cron job to execute base64-encoded shell commands. The shell code retrieved a first stage payload from a command-and-control server via a TCP connection using the vurl script. If this method failed, a second cron job was created to retrieve an alternative payload using Python and the urllib2 library.

The first payload retrieved by the vurl script is a shell script called cronb.sh, which checks if the chattr utility is installed and if the current account is root. Depending on these conditions, the next payload is executed – another shell script called ar.sh, which prepares the system for further stages of infection. This script checks if connections on port 80 are allowed to the internet, disables firewalls, deletes shell history, disables SELinux protection, and updates DNS settings to ensure future command-and-control domains are resolved correctly.

Overall, this attack campaign demonstrates the evolving tactics used by threat actors to target and compromise vulnerable systems. Organizations that rely on Docker, Hadoop, Confluence, and Redis deployments should ensure they are securely configured and regularly updated to mitigate the risk of falling victim to such attacks. Vigilance, timely patching, and strong security protocols are crucial in defending against increasingly sophisticated cyber threats.

Source link

Latest articles

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...

Reducing Threats from the IABs Market

As ransomware attacks continue to escalate in frequency and severity, one of the key...

More like this

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...
en_USEnglish