Threat actors have initiated a sophisticated malware campaign dubbed “Spinning YARN,” targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services. Cado security researcher Matt Muir highlights the attackers’ utilization of common misconfigurations and N-day vulnerabilities to conduct Remote Code Execution (RCE) attacks, deploying a cryptocurrency miner and establishing persistent remote access. Leveraging novel Golang payloads, the attackers automate the identification and exploitation of susceptible hosts, showcasing advanced techniques to evade detection and propagate across cloud environments.
The initial compromise involves deploying four Golang payloads capable of exploiting vulnerabilities in Confluence, Docker, Hadoop YARN, and Redis services, utilizing utilities like masscan or pnscan to hunt for susceptible hosts. Once access is gained, additional tools are deployed to install rootkits, conceal malicious processes, and drop a reverse shell utility, paving the way for the launch of the XMRig cryptocurrency miner. This sophisticated approach underscores the attackers’ significant investment in understanding and exploiting web-facing services deployed in cloud environments, as they continuously adapt to evade detection and maximize their malicious activities.
The emergence of “Spinning YARN” follows a wave of assaults targeting cloud infrastructure, with threat actors exploiting known security flaws in Apache Log4j and Atlassian Confluence Server and Data Center. Security researchers Tejaswini Sandapolla and Shilpesh Trivedi note the attackers’ profound understanding of cloud environments, employing advanced evasion techniques to navigate and manipulate systems to their advantage. These attacks, targeting both Windows and Linux hosts, prioritize stealth and evasion, reflecting a broader trend where cloud services are abused for cryptocurrency mining and malware hosting purposes.
