Cryptocurrency miners are increasing their attacks on critical data infrastructure by targeting vulnerabilities in Apache Hadoop and Flink systems. These attacks pose a significant threat to the security of data processing environments due to misconfigurations. To make matters worse, threat actors are now using rootkits to amplify their impact and remain undetected.

Attack Chain

The attack chain begins with exploiting a well-known misconfiguration in Apache Hadoop YARN’s ResourceManager. This allows unauthenticated users to execute applications and potentially run arbitrary code. Similarly, Apache Flink is vulnerable to an insecure configuration in its file upload mechanism, granting attackers unauthenticated access for remote code execution.

Hadoop and Flink Exploitation

The attack chain begins with exploiting a well-known misconfiguration in Apache Hadoop YARN’s ResourceManager. This allows unauthenticated users to execute applications and potentially run arbitrary code. Similarly, Apache Flink is vulnerable to an insecure configuration in its file upload mechanism, granting attackers unauthenticated access for remote code execution.

For Apache Flink, attackers exploit vulnerabilities in the file upload mechanism to upload rogue JAR files. These files allow for the unauthenticated execution of arbitrary code. Despite the different attack vectors, the ultimate goal remains the same: deploying rootkits for stealth and enabling cryptocurrency mining.

Rootkits and Cryptomining Payload

The “dca” binary serves as a downloader for rootkits, which hide the Monero cryptominer. Rootkits strategically delete contents, modify configurations, and evade traditional defenses. This combination of techniques makes these attacks highly sophisticated and dangerous to data infrastructure.

Infrastructure and Risk Reduction

Upon examining the infrastructure utilized by the attackers, it has been determined that there are specific IP addresses and domains involved. In order to minimize the potential threats, organizations that utilize Apache Hadoop and Flink must take immediate action to address any misconfigurations, establish strong authentication protocols, enforce restrictions on file uploads, and make use of advanced security solutions.

The convergence of cryptominers and rootkits targeting Apache Hadoop and Flink highlights the ever-evolving landscape of cybersecurity. As attackers continue to refine their techniques, it is crucial for organizations to adopt proactive security measures and possess a comprehensive understanding of potential exploits. It is essential for organizations to remain vigilant, promptly address any vulnerabilities, and deploy advanced security solutions to safeguard their data infrastructure from these sophisticated attacks.