Hadoop databases haven’t been getting much interest from hackers so far, compared to other data silos, but that’s changing, according to a new study.
Security shop Securonix, reports that its research team has seen a sharp rise in attacks targeting known vulnerabilities in Hadoop components such as Hadoop YARN, Redis, and ActiveMQ in recent months.
The team found that the cyber-assaults ranged from single forays to more complex attacks exploiting multiple known vulnerabilities for which patches exist.
What the attackers are looking to do in each case is get access to the database platform’s underlying Linux or Windows servers, which are then infected with malware. This software nasty typically generates cryptocurrency for the miscreants, injects a dose of ransomware, and/or raid the boxes for corporate secrets and personal data.
“In most cases, the focus of the attacks is on installing a second-stage payload for cryptomining and/or remote access,” Securonix’s Oleg Kolesnikov and Harshvardhan Parashar said in their report.
“In other cases, the malware propagates and infects the exposed services, removes data, and installs second-stage cryptomining and ransomware payloads.”
One nasty in particular that’s thrown at Hadoop installations is the Xbash botnet malware, a Swiss Army knife of cyber-woe. Bots scan blocks of IP addresses for open ports on services like Redis (along with the likes of MySQL, Oracle Database, and Elastic Search) in search of servers to pwn.
If Xbash hits a vulnerable server, and can infect it, it first wipes the host’s databases and then tries to collect a ransom payout by pretending the wiped data is only encrypted.
“Once the malware is successfully able to log into the database services (MYSQL, PostgreSQL, MongoDB, or phpMyAdmin) it deletes the existing databases stored on the server and creates a database with a ransom note specifying the amount and the bitcoin wallet,” Team Securonix said.
For what it’s worth, Xbash exploits a trio of vulnerabilities in Hadoop, Redis, and ActiveMQ to get into a system:
- Unauthenticated command execution in Hadoop YARN ResourceManager
- Arbitrary file write and remote command execution in Redis
- Arbitrary file write and execution in ActiveMQ
Another infection spotted in the wild was the more basic Moanacroner malware, a modified version of the Sustes nasty that runs silently on the host server to mine Monero for the attacker.
In both cases, the Securonix researchers say that admins can reduce the chance of infection by keeping up on patches (the observed attacks all targeted known and patched vulnerabilities) and reducing the attack service by limiting what Hadoop services can be accessed remotely and, if possible, running services in protected modes.