Follow Datanami:
January 24, 2019

More Hadoop, YARN Threats Surface

New reports have emerged of expanding security threats targeting cloud-based Hadoop and YARN instances, including more sophisticated attacks described as “multi-vector/multi-platform threats.”

Securonix, a security analytics and operations management platform vendor, said this week it is monitoring persistent malicious attacks affecting exposed cloud and server infrastructure. The security firm said it has detected stepped up automated attacks against cloud infrastructure, including Hadoop and YARN instances.

The report follows similar alerts last fall when a malware threat emerged against Hadoop clusters. The exploit dubbed DemonBot is designed to hijack cloud-based servers in order to launch denial-of-service attacks.

Securonix reported on Thursday (Jan. 24) that the latest exploit against Hadoop and YARN includes installation of a “second-stage payload” that could be used for crypto-mining or to gain remote access. In another scenario, malware spreads and infects exposed services, deletes data and installs crypto-mining or ransomware payloads.

The “malware deletes the databases instead of encrypting them, and does not have any functionality to backup [or] recover the files,” the security analyst said.

The researchers also emphasized that malware utilizes “persistence mechanisms” used to infect both Linux and Windows platforms. Those mechanisms are similar to those used in the “Xbash” botnet that surfaced last May. Xbash malware infects Linux and Windows systems with the goal of deleting critical databases, installing “crypto-jacking” scripts or ransomware attacks.

The malware spreads via brute-force attacks on weak passwords “or by exploiting one of three vulnerabilities found on Hadoop YARN Resource Manager, Redis [in-memory key-value store service] and ActiveMQ,” Securonix said. Once logged into database services, the malware can for example delete existing databases stored on a server and create another with a ransom note specifying a bitcoin payment.

The security analyst recommends continuous review of cloud-based services like Hadoop and YARN instances and their exposure to the Internet. Along with strong passwords, companies should “restrict access whenever possible to reduce the potential attack surface.”

Another security step involves implementing Redis in “protected mode,” Securonix recommended.

Recent items:

Latest Bot Targets Hadoop Clusters

Is Hadoop Officially Dead?