Published on January 24, 2019
By Oleg Kolesnikov and Harshvardhan Parashar, Securonix Threat Research Team
Figure 1: Moanacroner Establishes Persistence After Initial Cloud YARN/Hadoop Infection Using Crontabs
In recent months, we have been observing an increase in the number of automated attacks targeting exposed cloud infrastructure/Hadoop/YARN instances. Some of the attacks we have been seeing – for example, Moanacroner (a variant of Sustes ) – are fairly trivial, targeted single-vector/single-platform attacks where the focus is mainly on cryptomining.
Some attacks, however, are multi-vector/multi-platform threats where multiple functionalities – including cryptomining, ransomware, and botnet/worms for both Linux and Windows – are combined as part of the same malicious threat (for example, XBash).
The Securonix Threat Research Team has been actively investigating and closely monitoring these persistent malicious attacks impacting exposed cloud infrastructure in order to help our customers prevent, detect, and mitigate/respond to the attacks. Below is a summary of what we currently know, and our recommendations for possible mitigations and Securonix predictive indicators that can be used to detect such attacks.
Figure 2: Cloud Infrastructure Hadoop/YARN Logs Containing the Initial Infection/Malicious Commands Launched by Various Malicious Threat Actors
Here is a summary of some of the key details about some of the persistent cloud infrastructure/Hadoop/YARN attacks we have been observing.
In most cases, the focus of the attacks is on installing a second-stage payload for cryptomining and/or remote access. In other cases, the malware propagates and infects the exposed services, removes data, and installs second-stage cryptomining and ransomware payloads. For example, in the case of Xbash (which was reported a few months ago), the malware deletes the databases instead of encrypting them, and does not have any functionality to backup/recover the files.
Some of the key vectors we have been observing in these attacks involve the use of Hadoop unauthenticated command execution  and Redis remote command execution . There have also been other vectors used, including ActiveMQ (Arbitrary File Execution) .
Command and Control (C2)
There are a number of different C2 servers observed, and the hop points change continuously. Some malware fetches a hardcoded list of C2 server domain names from a pastebin webpage. C2 servers are then used to collect the target IP addresses and domains, download additional malicious scripts to perform cryptojacking, fetch additional username/password lists to be used for brute-force attacks, and report the results.
Most of the malicious implants observed maintain persistence by creating a cronjob entry, usually by leveraging different files (for example, on Linux: /etc/crontab, /etc/cron.d/root, /etc/cron.d/apache, /var/spool/cron/root, etc.), or by creating a malicious startup item if running on Windows, in order to download additional malicious stagers from a C2 server.
C2 IP/Stager Addresses
Figure 3: Xbash Maintains Persistence by Setting Up Cronjobs to Download Additional Malicious Scripts
Some Relevant Behaviors - Highlights
There are many common behaviors shared by the malicious threat actors we’ve been observing, including the infection vectors mentioned above, the persistence mechanisms, and some of the actions on objectives, including cryptomining payloads. XBash is a good example of a more advanced threat actor leveraging many of these common behaviors, so below we will provide some highlights of some of the relevant behaviors used by Xbash from a detection perspective.
Figure 4: Target Domain List Fetched by Xbash from One of the C2s
The Xbash botnet has been active since May 2018 and has shown a distinguishing combination of cryptojacking, cybersabotage, and multi-platform characteristics. Xbash malware infects Linux and Windows systems with the aim of deleting critical databases, installing cryptojacking scripts, and asking for ransoms by impersonating a ransomware attack. The Xbash botnet has been scanning the target domains and IP addresses specified by the C2 for multiple services running on different ports including :
HTTP: 80, 8080, 8888, 8000, 8001, 8088
MySQL/MariaDB: 3309, 3308,3360 3306, 3307, 9806, 1433
VNC: 5900, 5901, 5902, 5903
Telnet: 23, 2323
Oracle Database: 1521
Redis: 6379, 2379
Figure 5: Password Dictionary Fetched from One of the C2s for Brute-Force Attacks
The malware infiltrates and spreads by brute-forcing the weak passwords configured on the above services, or by exploiting one of three vulnerabilities found on Hadoop YARN Resource Manager, Redis, and ActiveMQ.
Once the malware is successfully able to log into the database services (MYSQL, PostgreSQL, MongoDB, or phpMyAdmin) it deletes the existing databases stored on the server and creates a database with a ransom note specifying the amount and the bitcoin wallet.
While infecting a vulnerable Redis service Xbash determines if the server is installed on Windows or Linux by identifying the location of the installation from the config. If the Redis is installed on Windows, the malware creates a startup item for persistence and downloads additional scripts and executables to perform cryptojacking or install ransomware .
Figure 6: Malicious Script Kills Any Other Cryptomining Services Found Running
Detection - Sample Securonix Spotter Search Queries
Some sample Securonix Spotter search queries to assist with the detection of existing infections.
ETDR Process Monitoring (Process Hash Conditions)
(rg_category contains "Endpoint" OR rg_category contains "ips" OR rg_category contains "ids") AND
Figure 7: Examples of Changes to Crontab Made by Malicious Implants in FIM Logs
Network Monitoring (Network Traffic to C2/Stagers)
rg_category contains "Firewall" OR rg_category contains "proxy") AND (destinationaddress IN “22.214.171.124”,“126.96.36.199”,“188.8.131.52”,“184.108.40.206”,“220.127.116.11”,“18.104.22.168”, “22.214.171.124”, “126.96.36.199”, “188.8.131.52”, “184.108.40.206”, “220.127.116.11”, “18.104.22.168”, “22.214.171.124”, “126.96.36.199”, “188.8.131.52”, “184.108.40.206”, “220.127.116.11”)
Some Relevant Log/Data Source Examples
VPC EDR logs (sysmon, osquery, Bit9/Carbonblack, etc.)
Cloud infrastructure application/database/webserver/Hadoop/YARN logs
VPC flow logs, etc.
Windows Event Logs
Some Examples of Securonix Predictive Indicators
Below is a summary of some of the relevant Securonix predictive indicators to increase the chances of early detection of this, and potentially other future variants of the threats mentioned above, in your cloud infrastructure. Figure 8 shows a practical example of detection of the malicious threats impacting cloud infrastructure described above using Securonix.
Figure 8: Practical Example of Detection Using Securonix
- Suspicious Filesystem Activity - Unusual FIM Change For File Analytic
- One possible example is an unusual change to one of the crontab files (see Figure 7).
- Suspicious Process Activity - Unusual Parent-Child Relationship For Host Analytic
- One possible example is an unusual parent process for wget or curl execution that is commonly used by malicious threat actors as part of staging the attacks.
- Suspicious Hadoop Activity - Unusual Container Command Launch for Host Analytic
- One possible example is running unexpected commands as part of YARN manager activity (see Figure 2).
- Suspicious Network Activity - Unusual Outbound Connection For Container Analytic
- Suspicious Windows Activity - Unusual CPU Utilization Amount For Host Analytic
- Suspicious Database Activity - Unusual Source IP Address for User Analytic
and a number of other Securonix behavioral analytics/predictive indicators including EDR-SYM19-ERI, EDR-SYM2-ERI, PXY-PAN5-TAN, WEL-WOT1-BPI, WEL-TAN2-BPI, WEL-SCH2-RUN, EDR-SYM12-RUN, and others.
Mitigation and Prevention - Securonix Recommendations
Here are some of the Securonix recommendations to help customers prevent and/or mitigate the attack:
- Continuously review your cloud infrastructure services’ exposure to the internet, including Hadoop/YARN, Redis, and ActiveMQ, and restrict access whenever possible to reduce the potential attack surface (see http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt, http://antirez.com/news/96, https://fortiguard.com/encyclopedia/ips/46466). Also, consider leveraging a centralized patch management system.
- Consider implementing Redis in protected mode (see http://antirez.com/news/96).
- Implement strong password policies for your services mentioned above as some of the malicious threat actors described, such as Xbash, use password brute-force to propagate.
References Claud Xiao, Cong Zheng and Xingyu Jin. Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Unit 42. September 17, 2018. https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/.Last accessed: 01-14-2019.  Rapid7. Hadoop YARN ResourceManager Unauthenticated Command Execution. Rapid7. March 23, 2018. https://www.rapid7.com/db/modules/exploit/linux/http/hadoop_unauth_exec. Last accessed: 01-14-2019.  Antirez. Redis Remote Command Execution Redis Remote Command Execution. Packet Storm. Nov 3, 2015. https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html. Last accessed: 01-14-2019.  NVD. CVE-2016-3088 Detail. National Vulnerability Database. June 01, 2016. https://nvd.nist.gov/vuln/detail/CVE-2016-3088. Last accessed: 01-14-2019.  Omri Ben Bassat. Iron Cybercrime Group Under The Scope. Intezer. May 29, 2018. https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/. Last accessed: 01-14-2019.  Blockchain. Bitcoin Address. September 26, 2018. https://www.blockchain.com/btc/address/1Kss6v4eSUgP4WrYtfYGZGDoRsf74M7CMr. Last accessed: 01-14-2019.  Blockchain. Bitcoin Address. October 02, 2018. https://www.blockchain.com/btc/address/1jqpmcLygJdH8fN7BCk2cwwNBRWqMZqL1. Last accessed: 01-14-2019.  Antirez. A few things about Redis security. November 3, 2015. http://antirez.com/news/96. Last accessed: 01-14-2019.  Green-m. hadoop_unauth_exec.rb. October 19, 2016. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hadoop_unauth_exec.rb. Last accessed: 01-14-2019.  FortiGuard Labs. Apache.Hadoop.YARN.ResourceManager.Command.Execution. Fortinet. https://fortiguard.com/encyclopedia/ips/46466. Last accessed: 01-14-2019.  Marco Ramilli. Sustes Malware: CPU for Monero. https://marcoramilli.com/2018/09/20/sustes-malware-cpu-for-monero/. Last accessed: 01-14-2019.