Cloud-y Linux Malware Rains on Apache, Docker, Redis & Confluence

Researchers have spotted a concerted cyber compromise campaign targeting cloud servers running vulnerable instances of Apache Hadoop, Atlassian Confluence, Docker, and Redis. The attackers are dropping a cryptomining tool, but also installing a Linux-based reverse shell that would allow potential future targeting and malware infestations.

According to an analysis from Cado Security, in most cases the adversary is hunting for common cloud misconfigurations to exploit. But, it has also been using an older remote code execution (RCE) vulnerability in Confluence server (CVE-2022-26134) in its ongoing campaign.

The researchers also said the attackers' tactics overlap with TeamTNT and WatchDog, two threat groups known for targeting cloud and container environments.

"The attacks are relatively hard-coded and automated, so they look for known vulnerabilities in Confluence and other platforms and well-known misconfigurations in platforms like Redis and Docker," says Chris Doman, co-founder and CTO at Cado Security.

Identifying these vulnerable instances is often simple, based on scanning as a first step and attacking identified vulnerable instances as a second step. "Avoiding these issues is often about fixing the low-hanging fruit — making sure systems are patched or at least not Internet accessible."

'Spinning' YARN Cyberattacks Target Cloud Servers

Cado Security researchers have dubbed the campaign Spinning YARN, after Apache Hadoop's "Yet Another Resource Negotiator" cluster resource management layer. They discovered it when investigating a flurry of initial access activity on one of Cado's Docker honeypots. Their analysis led to the discovery of four previously unknown Golang binaries that the threat actor is using to automate the discovery and compromise of servers running the four cloud platforms.

Cado researchers also found the threat actor deploying multiple other unique payloads, including Platypus (an open source reverse shell utility for maintaining persistence), and two user-mode rootkits for obfuscating malicious processes.

"Once initial access is achieved, a series of shell scripts and general Linux attack techniques are used to deliver a cryptocurrency miner, spawn a reverse shell, and enable persistent access to the compromised hosts," the firm said in a blog post this week. 

The ongoing campaign is the latest manifestation of the time and effort that threat actors appear to be putting into understanding vulnerabilities in Web-facing services in cloud environments, and figuring out ways to exploit them for initial access, the security vendor said. Just since the beginning of 2024, Cado's researchers have observed a total of three campaigns — including the latest one — in which a threat actor has exploited Docker for initial access to an organization's broader cloud environment, the company noted.

Many of these attacks have involved attempts to deploy cryptominers. Earlier this year, researchers from Aqua Nautilus reported on a threat actor exploiting two known misconfigurations in Hadoop YARN and Flink to drop a miner for Monero cryptocurrency. That campaign, like the one that Cado reported this week, involved the use of rootkits, system configuration modifications, packed ELF binaries, and other methods to evade detection. Last year, Aqua researchers uncovered another campaign where a threat actor infected over 1,200 Redis servers with a cryptominer via an almost undetectable malware tool they dubbed "HeadCrab."

In the Cloud With a Multistage Attack Chain

In the attack on Cado's Docker honeypot, the threat actors issued a Docker command from a US-based IP address that spawned a new container with a configuration that allowed the container to access and interact with files and directories on the underlying host system. It's a method that adversaries commonly use in Docker attacks because it allows them to write files to the host system, or to essentially conduct an RCE attack, Cado said.

In this particular instance, the attackers deployed the tactic to write a shell script function that established contact with a remote command and control (C2) server, and then retrieved a first stage payload from it. 

The function of the first stage payload is to define the C2 for additional payloads and check for the presence of chattr, a Linux tool for modifying file and directory attributes. If the tool is present, the initial payload renames it. If it is not, the malware installs chattr on the compromised system and then renames it, Cado said. That primary or first-stage payload then retrieves the next payload after first verifying if the current user of the system has admin access.

The second-stage payload's functions include softening the system for additional compromise by, among other things, running commands for disabling firewalls and IP filter rules, deleting shell history, disabling access control functions, and removing any restrictions on outbound DNS requests.

The second stage shell script also takes various anti-forensic measures such as installing two user mode rootkits for hiding malicious activities, and ensuring that malicious commands do not show up in the history file. It also downloads Platypus for persistent access and the XMRig cyptominer for Monero.

The attack chain also includes shell scripts to search for and delete Docker images from Ubuntu or Alpine repositories, and for downloading and persisting multiple other binary payloads on compromised systems.