A new malicious campaign targeting the Apache big data stack, specifically Hadoop, Druid, and Flink, has been uncovered by researchers at Aqua Security. The attackers exploit vulnerabilities and incorrect settings in cloud Honeypot to carry out these attacks, resulting in over three thousand incidents in the past month.
Apache, a widely recognized open-source foundation supporting numerous projects, boasts more than 320 active projects and 8,000 participants on its official website.
The attacks utilize a fresh version of the Lucifer DDOS-Botnet, which focuses on susceptible Linux systems and has been known since 2020 for transforming them into monero mining bots.
For the current campaign, attackers exploit incorrect settings and outdated vulnerabilities, such as cve-2021-25646 for Apache Druid, enabling a remote non-assetable user to execute arbitrary JavaScript code with server privileges.
The campaign, as outlined by the researchers, involves various stages: leveraging vulnerabilities or incorrect configurations, deploying and executing the malicious Lucifer, and subsequently introducing the primary malevolent component – XMRIG miner.
Throughout six months of monitoring, the campaign has undergone minor adaptations, including adjustments in delivery mechanisms and the functionality of malicious software.
To safeguard your organization, it is crucial to promptly update systems, configure them correctly, adhere to security guidelines, and consider employing real-time detection and response solutions. Additionally, exercising caution when utilizing open libraries and dedicating sufficient time and resources to employee training are recommended.
This malware incident underscores the necessity for a vigilant cybersecurity approach within the realm of utilizing open Apache software, underscoring the significance of comprehensive protection and adherence to best digital defense practices.