An unsophisticated Linux-based botnet dubbed DemonBot is targeting exposed cloud servers using a vulnerability in Hadoop’s resource management tool to infect cloud servers with the botnet malware.
Radware researchers are monitoring the malware which spreads via central servers and targets Hadoop clusters with the intention of performing DDoS attacks powered by the cloud’s infrastructure servers, according to an 25 October blog post.
Radware researchers referred to the malware as DemonBot and said it leverages Hadoop YARN, Yet Another Resource Negotiator, unauthenticated remote command execution in order to infect Hadoop clusters.
YARN is a prerequisite for Enterprise Hadoop and provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform. The prerequisite also exposes a REST API which allows remote applications to submit new applications to the cluster.
Researchers noted the malware does not show the worm-like behavior exhibited by Mirai based bots and upon closer inspection appears unique. Researchers have tracked more than 70 active exploit servers actively spreading the malware at an aggregate rate of more than a million exploits per day.
The botnet’s Command and Control service was described as a self-contained C program that is supposed to run on a central command and control server.
The C&C performs the services of allowing bots to register and listen for new commands form the C2 and serves as a remote access CLI allowing botnet admins and potential ‘customers’ to control the activity of the botnet, researchers said.
"The list of cloud threats continues to grow. Demonbot is another new example of threats that exploit the myriad of vulnerabilities that exist in the clouds," Anthony James, vice president at CipherCloud said.
"DOS, data breach, data loss, insider threats, misconfiguration and administrative error, insecure API’s, the Spectre and Meltdown vulnerabilities, and much more will continue to enable unauthorised access to your data."
James added that cloud security strategy in the face of threats like Demonbot remains the same and recommends that if users encrypt their data at the cloud "edge" the data will be safe regardless of how any of these attacks unfold.