Follow Datanami:
January 10, 2024

New Hadoop and Flink Hacks Leveraging Known Configuration Vulnerability

(Golden Dayz/Shutterstock)

Security researchers at Aqua Nautilus say they are tracking a new set of attacks against Apache Hadoop and Apache Flink applications. The attackers are employing stealthy techniques to exploit a known security vulnerability for misconfigured Hadoop and Flink systems that could enable unauthenticated hackers to run arbitrary code on clusters, the researchers say.

Aqua Nautilus, a security research company based in Burlington, Vermont, today announced the results of its investigation into the Hadoop and Flink attacks. The company stated that, over the past few weeks, it discovered a “new and interesting attack” that targeted its cloud honeypots. The attacks on Hadoop and Flink appear to follow a similar playbook and exploit similar vulnerabilities, the company says.

On Hadoop, the attack leverages a user misconfiguration in ResourceManager, or the head node for YARN in a Hadoop cluster. “This misconfiguration can be exploited by an unauthenticated, remote attacker through a specially designed HTTP request, potentially leading to the execution of arbitrary code, depending on the privileges of the user on the node where the code is executed,” Aqua Nautilus security analysts Nitzan Yaakov and Assaf Morag wrote in a blog post today.

Meanwhile, the attacks on Apache Flink also exploit a misconfiguration “that allows a remote attacker to execute arbitrary code on a system running Apache Flink without needing to authenticate,” Aqua Nautilus said.

Neither of the misconfiguration-based vulnerabilities are new, the company says. In fact, it says it has reported on the problems in the past. However, the attack vectors themselves appear to be new, and the fact that they are employing stealthy techniques, such as using packers and rootkits to conceal their malware, make the attacks noteworthy, the company says.

On Hadoop, attackers begin their work by sending an unauthenticated request to deploy a new application, followed by a POST request to execute arbitrary code, the company says. The payload is a binary called “dca,” which further downloads two other binaries for rootkits as well as a cryptominer called Monero, Aqua Nautilus says.

The attack employs sophisticated defense evasion techniques, such as the use of “packed ELF binaries and rootkits that are undetected by regular security solutions,” the security researchers say. “The malware deletes contents of specific directories and modifies system configurations to evade detection.” There is also a persistence mechanism that utilizes cron jobs to download and execute a script that deploys the “dca” binary, the company says. .

The bad guys employing this technique utilize specific IP addresses and domains, Aqua Nautilus says, which can help victims tell if they’ve been hacked. Agent-based security tools designed to detect suspicious and malicious behavior can also be used to detect “cryptominers, rootkits, obfuscated or packed binaries, as well as container drift,” the security company says, adding that customers who deployed its CNAPP agent-based runtime solution are protected from these kinds of attacks.

Apache Hadoop is a distributed framework used for storing and analyzing large data sets. While the peak of Hadoop popularity has passed, there are likely thousands of Hadoop clusters still running and providing value to organizations. Apache Flink, meanwhile, is a distributed framework for building streaming applications. Adoptino of the Flink framework is still growing.

For more technical details about the Hadoop and Flink exploits, check out this blog post on the Aqua Nautilus website.

Related Items:

Buckle Up: It’s Time for 2024 Security Predictions

From WormGPT to DarkBERT, GenAI Boosting Cybercriminal Capabilities

Is Hadoop Officially Dead?

Datanami