Summary:
A new cyber threat has emerged targeting Apache big-data stack, particularly Apache Hadoop and Apache Druid. This campaign, orchestrated by an unknown attacker, exploits existing vulnerabilities and misconfigurations within these systems to execute malicious activities. Through meticulous analysis, it has been revealed that the attacker employs a variant of the Lucifer malware, transforming vulnerable Linux systems into Monero cryptomining bots. This threat poses risks to organizations utilizing Apache big-data solutions, necessitating immediate attention and proactive measures to mitigate potential damages.
The campaign unfolds in three distinct phases, each marked by an evolution in tactics and techniques. Initially targeting Apache Hadoop YARN, the attacker exploits a misconfiguration to execute remote code execution (RCE) on vulnerable instances, leading to the download and execution of the Lucifer malware. Subsequent stages witness the attacker's pivot to Apache Druid vulnerability CVE-2021-25646, expanding the scope of the campaign. Notably, the Lucifer malware demonstrates multifaceted capabilities, including DDoS botnet functionality and Monero cryptomining. Throughout the campaign, defense evasion techniques such as binary deletion and log file truncation are employed to obfuscate the attacker's presence and minimize detection. Furthermore, the attacker's use of English in communication, despite being of Chinese origin, adds a layer of complexity to the attribution challenge.
The Lucifer malware campaign underscores the critical importance of robust cybersecurity measures, especially in environments utilizing Apache big-data solutions. Organizations must promptly address misconfigurations and vulnerabilities in Apache Hadoop and Apache Druid to mitigate the risk of exploitation by malicious actors. Additionally, comprehensive threat detection and response mechanisms, such as Aqua Trivy's dynamic scanning and runtime protection capabilities, are essential for cloud workloads against evolving threats.
Threat Profile:
References:
The following reports contain further technical details:
https://www.darkreading.com/cloud-security/lucifer-botnet-heat-apache-hadoop-servers