Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Hadoop coop thrown for loop by malware snoop n' scoop troop? Oh poop

Attacks on distributed frameworks on the rise, it is claimed by infosec biz

Hadoop databases haven't been getting much interest from hackers so far, compared to other data silos, but that's changing, according to a new study.

Security shop Securonix, reports that its research team has seen a sharp rise in attacks targeting known vulnerabilities in Hadoop components such as Hadoop YARN, Redis, and ActiveMQ in recent months.

The team found that the cyber-assaults ranged from single forays to more complex attacks exploiting multiple known vulnerabilities for which patches exist.

What the attackers are looking to do in each case is get access to the database platform's underlying Linux or Windows servers, which are then infected with malware. This software nasty typically generates cryptocurrency for the miscreants, injects a dose of ransomware, and/or raid the boxes for corporate secrets and personal data.

"In most cases, the focus of the attacks is on installing a second-stage payload for cryptomining and/or remote access," Securonix's Oleg Kolesnikov and Harshvardhan Parashar said in their report.

"In other cases, the malware propagates and infects the exposed services, removes data, and installs second-stage cryptomining and ransomware payloads."

Yarn unravelling - TanyaJoy at Shutterstock

Apache Hadoop spins cracking code injection vulnerability YARN

READ MORE

One nasty in particular that's thrown at Hadoop installations is the Xbash botnet malware, a Swiss Army knife of cyber-woe. Bots scan blocks of IP addresses for open ports on services like Redis (along with the likes of MySQL, Oracle Database, and Elastic Search) in search of servers to pwn.

If Xbash hits a vulnerable server, and can infect it, it first wipes the host's databases and then tries to collect a ransom payout by pretending the wiped data is only encrypted.

"Once the malware is successfully able to log into the database services (MYSQL, PostgreSQL, MongoDB, or phpMyAdmin) it deletes the existing databases stored on the server and creates a database with a ransom note specifying the amount and the bitcoin wallet," Team Securonix said.

For what it's worth, Xbash exploits a trio of vulnerabilities in Hadoop, Redis, and ActiveMQ to get into a system:

Another infection spotted in the wild was the more basic Moanacroner malware, a modified version of the Sustes nasty that runs silently on the host server to mine Monero for the attacker.

In both cases, the Securonix researchers say that admins can reduce the chance of infection by keeping up on patches (the observed attacks all targeted known and patched vulnerabilities) and reducing the attack service by limiting what Hadoop services can be accessed remotely and, if possible, running services in protected modes. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like