'Lucifer' Botnet Turns Up the Heat on Apache Hadoop Servers
More than 3,000 unique attacks hitting Hadoop and Druid honeypots in just the past month indicate an attacker testing phase, portending fire and brimstone to come.
February 21, 2024
A threat actor is targeting organizations running Apache Hadoop and Apache Druid big data technologies with a new version of the Lucifer botnet, a known malware tool that combines cryptojacking and distributed denial of service (DDoS) capabilities.
The campaign is a departure for the botnet, and an analysis this week from Aqua Nautilus suggests that its operators are testing new infection routines as a precursor to a broader campaign.
Lucifer is self-propagating malware that researchers at Palo Alto Networks first reported in May 2020. At the time, the company described the threat as dangerous hybrid malware that an attacker could use to enable DDoS attacks, or for dropping XMRig for mining Monero cryptocurrency. Palo Alto said it had observed attackers also using Lucifer to drop the NSA's leaked EternalBlue, EternalRomance, and DoublePulsar malware and exploits on target systems.
"Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms," Palo Alto had warned at the time.
Now, it's back and targeting Apache servers. Researchers from Aqua Nautilus who have been monitoring the campaign said in a blog this week they had counted more than 3,000 unique attacks targeting the company's Apache Hadoop, Apache Druid, and Apache Flink honeypots in just the last month alone.
Lucifer's 3 Unique Attack Phases
The campaign has been ongoing for at least six months, during which time the attackers have been attempting to exploit known misconfigurations and vulnerabilities in the open source platforms to deliver their payload.
The campaign so far has been comprised of three distinct phases, which the researchers said is likely an indication that the adversary is testing defense evasion techniques before a full-scale attack.
"The campaign began targeting our honeypots in July," says Nitzan Yaakov, security data analyst at Aqua Nautilus. "During our investigation, we observed the attacker updating techniques and methods to achieve the main goal of the attack — mining cryptocurrency."
During the first stage of the new campaign, Aqua researchers observed the attackers scanning the Internet for misconfigured Hadoop instances. When they detected a misconfigured Hadoop YARN (Yet Another Resource Negotiator) cluster resource management and job scheduler technology on Aqua's honeypot, they targeted that instance for exploit activity. The misconfigured instance on Aqua's honeypot had to do with Hadoop YARN's resource manager and gave the attackers a way to execute arbitrary code on it via a specially crafted HTTP request.
The attackers exploited the misconfiguration to download Lucifer, execute it and store it to the Hadoop YARN instance's local directory. They then ensured the malware was executed on a scheduled basis to ensure persistence. Aqua also observed the attacker deleting the binary from the path where it was initially saved to try and evade detection.
In the second phase of attacks, the threat actors once again targeted misconfigurations in the Hadoop big-data stack to try and gain initial access. This time, however, instead of dropping a single binary, the attackers dropped two on the compromised system — one which executed Lucifer and the other which apparently did nothing.
In the third phase, the attacker switched tactics and, instead of targeting misconfigured Apache Hadoop instances, began looking for vulnerable Apache Druid hosts instead. Aqua's version of the Apache Druid service on its honeypot was unpatched against CVE-2021-25646, a command injection vulnerability in certain versions of the high-performance analytics database. The vulnerability gives authenticated attackers a way to execute user-defined JavaScript code on affected systems.
The attacker exploited the flaw to inject a command for downloading two binaries and enabling them with read, write, and execute permissions for all users, Aqua said. One of the binaries initiated the download of Lucifer, while the other executed the malware. In this phase, the attacker's decision to split the downloading and execution of Lucifer between two binary files appears to have been an attempt to bypass detection mechanisms, the security vendor noted.
How to Avoid a Hellish Cyberattack on Apache Big Data
Ahead of a potential coming wave of attacks against Apache instances, enterprises should review their footprints for common misconfigurations, and ensure all patching is up-to-date.
Beyond that, the researchers noted that "unknown threats can be identified by scanning your environments with runtime detection and response solutions, which can detect exceptional behavior and alert about it," and that "it is important to be cautious and aware of existing threats while using open-source libraries. Every library and code should be downloaded from a verified distributor."
About the Author
You May Also Like