Tag Archive for: Apache

‘Lucifer’ Botnet Turns Up the Heat on Apache Hadoop Servers

/in


A threat actor is targeting organizations running Apache Hadoop and Apache Druid big data technologies with a new version of the Lucifer botnet, a known malware tool that combines cryptojacking and distributed denial of service (DDoS) capabilities.

The campaign is a departure for the botnet, and an analysis this week from Aqua Nautilus suggests that its operators are testing new infection routines as a precursor to a broader campaign.

Lucifer is self-propagating malware that researchers at Palo Alto Networks first reported in May 2020. At the time, the company described the threat as dangerous hybrid malware that an attacker could use to enable DDoS attacks, or for dropping XMRig for mining Monero cryptocurrency. Palo Alto said it had observed attackers also using Lucifer to drop the NSA’s leaked EternalBlue, EternalRomance, and DoublePulsar malware and exploits on target systems.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” Palo Alto had warned at the time.

Now, it’s back and targeting Apache servers. Researchers from Aqua Nautilus who have been monitoring the campaign said in a blog this week they had counted more than 3,000 unique attacks targeting the company’s Apache Hadoop, Apache Druid, and Apache Flink honeypots in just the last month alone.

Lucifer’s 3 Unique Attack Phases

The campaign has been ongoing for at least six months, during which time the attackers have been attempting to exploit known misconfigurations and vulnerabilities in the open source platforms to deliver their payload.

The campaign so far has been comprised of three distinct phases, which the researchers said is likely an indication that the adversary is testing defense evasion techniques before a full-scale attack.

“The campaign began targeting our honeypots in July,” says Nitzan Yaakov, security data analyst at Aqua Nautilus. “During our investigation, we observed the attacker updating techniques and methods to achieve the main goal of the attack — mining cryptocurrency.”

During the first stage of the new campaign, Aqua researchers observed the attackers scanning the Internet for…

Source…

Zerobot botnet can now hack into Apache, Apache Spark servers

/in


Malware activities carried out by botnets pose a danger to devices and networks that is always developing. Due to the fact that Internet of Things (IoT) devices’ setups often leave them open to attack, threat actors target these devices in order to enlist them into nefarious activities. Additionally, the number of internet-connected devices continues to increase. Operators are redeploying malware for a range of distributions and aims, changing existing botnets to expand operations, and adding as many devices as possible to their infrastructure, according to recent trends.

An example of a threat that is always adapting is Zerobot, which is a Go-based botnet that spreads largely via vulnerabilities in Internet of Things (IoT) devices and online applications. The malware’s controllers are continually adding new exploits and capabilities to it. For many months, the research team for Microsoft Defender for IoT has been keeping an eye on Zerobot, which is also referred to as ZeroStresser by its owners. Since Microsoft began monitoring it, Zerobot has undergone many iterations of modification and has been made available as part of a malware as a service program. The Federal Bureau of Investigation (FBI) seized multiple domains in December 2022 that were related with DDoS-for-hire businesses. Among those domains was one that had ties to Zerobot.

Microsoft has already remarked on the ever-changing environment of potential dangers. The transition in the cyber economy toward malware as a service has industrialized attacks and made it simpler for attackers to purchase and use malware, establish and maintain access to compromised networks, and use ready-made tools to carry out their attacks. This has led to an increase in the number of successful cyberattacks. We have been keeping an eye out for adverts for the Zerobot botnet on a variety of social media networks, in addition to other notifications about the sale and maintenance of the malware, as well as additional capabilities that are currently under development.

The Zerobot botnet, which was discovered for the first time earlier this month, is targeting Apache systems in an effort to broaden the range of Internet of…

Source…

Identifying and Remediating the Critical Apache Log4j Cybersecurity Vulnerability | Polsinelli

/in


On December 9th, 2021, a critical zero-day vulnerability, which has the potential of providing threat actors access to millions of computers worldwide, was discovered. Due to the critical nature of this vulnerability, and the risk that it poses to our clients, Polsinelli has partnered with Tracepoint to develop an overview of the issue, and provide you with a set of steps that your organization can take to identify if you are vulnerable and patch the vulnerability if you are.

Please see full Publication below for more information.

Source…

New Pro-Ocean malware worms through Apache, Oracle, Redis servers

/in


The financially-motivated Rocke hackers are using a new piece of cryptojacking malware called Pro-Ocean to target vulnerable instances of Apache ActiveMQ, Oracle WebLogic, and Redis.

The new malware is a step up from the previous threat used by the group in that it comes with self-spreading capabilities, blindly throwing exploits at discovered machines.

Hiding malicious activity

Rocke cryptojacking hackers have not changed their habit of attacking cloud applications and leverage known vulnerabilities to take control of unpatched Oracle WebLogic (CVE-2017-10271) and Apache ActiveMQ (CVE-2016-3088) servers. Unsecured Redis instances are also on the list.

Researchers at Palo Alto Networks analyzing the malware say it includes “new and improved rootkit and worm capabilities” that allow it to hide malicious activity and spread to unpatched software on the network.

To stay under the radar, Pro-Ocean uses LD_PRELOAD, a native Linux feature that forces binaries to prioritize the loading of specific libraries. The method is not new and is constantly seen in other malware.

The new part is that the developers took the rootkit capabilities further by implementing publicly available code that helps conceal malicious activity.

One example relates to the ‘open’ function of the ‘libc’ library, tasked with opening a file and returning its descriptor. The researchers discovered that the malicious code determines if a file needs to be hidden before calling ‘open.’

source: Palo Alto Networks

“If it determines that the file needs to be hidden, the malicious function will return a “No such file or directory” error, as if the file in question does not exist” – Palo Alto Networks

Crude self-spreading mechanism

The actors behind Pro-Ocean have also moved from manually exploiting victims to an unrefined automated process. A  Python script takes the infected machine’s public IP address using the ident.me service and then tries to infect all machines in the same 16-bit subnet.

There is no selection in the process and the attackers simply throw public exploits at the discovered hosts hoping that one of them sticks.

source: Palo Alto Networks

If there is successful exploitation,…

Source…