For nearly a month, a new botnet has been slowly growing in the shadows, feasting on unsecured Apache Hadoop servers, and planting bots on vulnerable servers to be used for future DDoS attacks.
First spotted in honeypot data by a NewSky Security researcher while it was still in its infancy, the botnet has matured and expanded in the meantime.
While initially, the botnet consisted of a few command and control servers, in a threat alert sent out today by cyber-security firm Radware, the company says the botnet has now grown to number over 70 servers.
The role of these servers is to scan the internet for Hadoop installations that use a misconfigured YARN module.
YARN, which stands for Yet Another Resource Negotiator, is a core component of the Apache Hadoop data processing framework, often used in large enterprise networks or cloud computing environments.
Once the botnet finds a possible victim, the botnet, which Radware named DemonBot, attempts to take advantage of a YARN misconfiguration to install a “bot” process on the vulnerable Hadoop system.
Radware says DemonBot has grown tremendously in the past month, currently attempting over 1 million YARN exploits per day.
“Unfortunately, we have no count on actual bots [infected Hadoop servers],” Pascal Geenens, cybersecurity evangelist at Radware, told ZDNet in an interview. “Bots are not scanning and exploiting, so they do not generate noise [traffic] which we can detect and map out.”
But while the botnet’s total botnet count remains unknown, there’s also another major mystery that remains to be solved. Why does this botnet infect resource-rich servers like Hadoop with DDoS bots instead of deploying cryptocurrency-mining malware, which would, without a doubt, generate much more profits and far less legal problems than launching destructive and head-turning DDoS attacks.
All signs point to this botnet being the work of “skids,” a term used by cyber-security experts to describe malware authors who cobble botnets or malware strains using readily-available scripts, poor operational security, or without a long-term plan of what they want to achieve.
This is exactly what appears to have happened, according to NewSky Security’s Ankit Anubhav, who tweeted earlier this month that this botnet appears to have ties to creators of the Sora botnet, who were also responsible for creating multiple other botnets, such as Owari, Wicked, Omni, Anarchy, and others, all used for DDoS attacks as well.
As for how servers are getting infected, both Anubhav and Geenens have pointed the finger at the same issue –a misconfiguration in Hadoop’s YARN component that has been known for at least two years.
According to proof-of-concept code posted on ExploitDB and GitHub, attackers appear to access an internal YARN API that was left exposed to external connections. The exploit uses the API to deploy and run a custom YARN app inside a Hadoop server cluster –in DemonBot’s case, a DDoS-capable malware strain.
This exploit has been very popular in the past few months, being also used by the multi-functional Xbash malware over the summer.
“Some things are just not meant to be exposed on the internet,” Geenens told ZDNet.
It goes without saying that Hadoop server administrators should probably review YARN configs as soon as possible to make sure they’re not shooting themselves in the foot.
A link to Radware’s threat alert that contains technical details and IOCs will be added later in the day, after the alert becomes public. Thank you for understanding!
RELATED SECURITY COVERAGE: