Security Hadoop coop thrown for loop by malware snoop n' scoop troop? Oh poop

One nasty in particular that’s thrown at Hadoop installations is the Xbash botnet malware, a Swiss Army knife of cyber-woe. Bots scan blocks of IP addresses for open ports on services like Redis (along with the likes of MySQL, Oracle Database, and Elastic Search) in search of servers to pwn.

If Xbash hits a vulnerable server, and can infect it, it first wipes the host’s databases and then tries to collect a ransom payout by pretending the wiped data is only encrypted.

“Once the malware is successfully able to log into the database services (MYSQL, PostgreSQL, MongoDB, or phpMyAdmin) it deletes the existing databases stored on the server and creates a database with a ransom note specifying the amount and the bitcoin wallet,” Team Securonix said.

For what it’s worth, Xbash exploits a trio of vulnerabilities in Hadoop, Redis, and ActiveMQ to get into a system:

Unauthenticated command execution in Hadoop YARN ResourceManager
Arbitrary file write and remote command execution in Redis
Arbitrary file write and execution in ActiveMQ

Another infection spotted in the wild was the more basic Moanacroner malware, a modified version of the Sustes nasty that runs silently on the host server to mine Monero for the attacker.

In both cases, the Securonix researchers say that admins can reduce the chance of infection by keeping up on patches (the observed attacks all targeted known and patched vulnerabilities) and reducing the attack service by limiting what Hadoop services can be accessed remotely and, if possible, running services in protected modes

Hadoop databases haven’t been getting much interest from hackers so far, compared to other data silos, but that’s changing, according to a new study.

Security shop Securonix, reports that its research team has seen a sharp rise in attacks targeting known vulnerabilities in Hadoop components such as Hadoop YARN, Redis, and ActiveMQ in recent months.

The team found that the cyber-assaults ranged from single forays to more complex attacks exploiting multiple known vulnerabilities for which patches exist.

What the attackers are looking to do in each case is get access to the database platform’s underlying Linux or Windows servers, which are then infected with malware. This software nasty typically generates cryptocurrency for the miscreants, injects a dose of ransomware, and/or raid the boxes for corporate secrets and personal data.

“In most cases, the focus of the attacks is on installing a second-stage payload for cryptomining and/or remote access,” Securonix’s Oleg Kolesnikov and Harshvardhan Parashar said in their report.

“In other cases, the malware propagates and infects the exposed services, removes data, and installs second-stage cryptomining and ransomware payloads.”

How to deliver real-world Cyber Resilience

Being prepared for a cybersecurity attack is not the same as being resilient to one. To protect our most valuable assets against an ever-growing number of threats, approaches to risk mitigation need to deliver an effective and appropriate response, not just a coping strategy — which means looking towards true cyber resilience. While cybersecurity practices seek to defend and protect against a potential attack, cyber resilience assumes a breach will happen and prepares strategies and procedures to focus on business continuity and fast recovery to minimise impact.

In this session, and based on real-world examples, we’ll take a practical look at how your organisation can become resilient-by-design – showing you how to deliver security from the ground up and across the software development lifecycle – to achieve optimum resilience to evolving threat vectors to your data, people and business. By attending this session, you’ll learn:

Why being ‘cyber secure’ may not be enough to keep your organization safe from the elevated threat surface.
How do you really prepare for a breach — when cyber security isn’t enough, how do you mitigate the risks?
A breach will happen, how can you prepare to manage its impact and truly become ‘cyber resilient’?

We’ll be speaking to security experts from Blackberry to help you understand the practical steps you can take. So, if you’re conscious of specific gaps in your security strategy or just have a discomfiting level of unease about what you could be doing better, tune in.

Close Menu