Detecting Persistent Cloud Infrastructure/Hadoop/YARN Attacks Using Security Analytics

By Oleg Kolesnikov of the Securonix Threat Research Team

The Securonix Threat Research Team has been actively investigating and closely monitoring persistent malicious attacks impacting exposed cloud and server infrastructure and has been detecting an increase in the number of automated attacks targeting exposed cloud infrastructure, Hadoop, and YARN instances.

Some of the attacks observed – for example, Moanacroner (a variant of Sustes [11]) – are fairly trivial, targeted single-vector/single-platform attacks where the focus is mainly on cryptomining. Some attacks, however, are multi-vector/multi-platform threats where multiple functionalities – including cryptomining, ransomware, and botnet/worms for both Linux and Windows – are combined as part of the same malicious threat (for example, XBash).

It is important to take the details/TTPs of these prevalent attacks into consideration when defining the processes and requirements needed to secure your cloud infrastructure and the types of resources that can potentially be impacted.

To prevent or mitigate these attacks, we recommend the following:

  1. Continuously review your cloud infrastructure services’ exposure to the internet, including Hadoop/YARN, Redis, and ActiveMQ, and restrict access whenever possible to reduce the potential attack surface. Also, consider leveraging a centralized patch management system.
  2. Consider implementing Redis in protected mode.
  3. Implement strong password policies for your services mentioned above as some of the malicious threat actors described, such as Xbash, use password brute-force to propagate.

For more information, see the report:  “Securonix Threat Research: Detecting Persistent Cloud Infrastructure/ Hadoop/YARN Attacks Using Security Analytics: Moanacroner, XBash, and Others”

Source: Securonix

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase