Security analysts have uncovered a highly targeted attack centering around Apache Hadoop, a widely-used open-source distributed storage and processing framework. The assailants leverage a known misconfiguration in Hadoop’s YARN ResourceManager, enabling the creation and execution of applications without proper authentication. The attack follows a distinct pattern, involving an unauthenticated request to initiate a new application and a subsequent POST request for executing arbitrary code.
At the core of the assault is the deployment of a malware variant identified as ‘dca,’ housing a Monero cryptominer. Employing sophisticated evasion techniques such as packed ELF binaries and rootkits, this malware poses a significant challenge to traditional security solutions. To fortify defenses against such threats, experts recommend implementing agent-based runtime solutions capable of detecting malicious behaviors associated with cryptominers, rootkits, and obfuscated binaries. Organizations leveraging Aqua’s CNAPP agent-based runtime solution are reported to be effectively safeguarded from these specific types of attacks.