DemonBot Malware Targets Apache Hadoop Servers Using Available Exploit Code
New DemonBot malware uses Apache Hadoop exploit also used by XBash to launch exploitation attempts at a rate of one million a day to facilitate widespread DDoS.
Hintergrund
Researchers at Radware recently blogged about the discovery of a new piece of malware, dubbed DemonBot, used by attackers targeting Apache Hadoop servers. These servers are vulnerable to a Yet Another Resource Negotiator (YARN) exploit that was first reported in 2016. Exploit code has been publicly available since March 2018, and attackers have leveraged it to implant Xbash malware in September 2018.
Impact assessment
Radware’s Threat Research Center says they’ve identified over 70 active exploit servers launching exploitation attempts at a rate of “one million per day” in an effort to implant DemonBot.
Malware details
DemonBot is a distributed denial-of-service (DDoS) botnet similar to other DDoS botnets like Mirai. Unlike Mirai, DemonBot does not exhibit worm-like behavior, instead spreading by way of centralized servers.
DemonBot supports commands to launch User Datagram Protocol (UDP) (randomized) or Transmission Control Protocol (TCP) based DDoS attacks and a STD (UDP fixed payload) attack. It also supports what is called a STOMP command, which launches a sequential attack from STD to UDP to TCP.
Radware researchers also note that while DemonBot currently does not target Internet of Things (IoT) devices, it is “binary compatible with most known IoT devices, following the Mirai build principles.”
Urgently required actions
It is strongly advised that those operating Apache Hadoop clusters restrict access to the YARN WebResource Manager by configuring access control policies and limiting incoming traffic to the specified port for the WebResource Manager.
Identifizieren betroffener Systeme
A list of Nessus® plugins to identify vulnerable Apache Hadoop servers can be found here.
Additionally, our Linux Malicious Process Detection plugin will detect the malware associated with DemonBot.
Weitere Informationen
- New DemonBot Discovered
- Hadoop safari: Hunting for vulnerabilities
- ‘DemonBot' Botnet Targets Hadoop Servers
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
May 14, 2024Microsoft addresses 59 CVEs in its May 2024 Patch Tuesday release with one critical vulnerability and three zero-day vulnerabilities, two of which were exploited in the wild.
CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
May 9, 2024Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
Cybersecurity Snapshot: Attackers Pounce on Unpatched Vulns, DBIR Says, as Critical Infrastructure Orgs Benefit from CISA’s Alert Program
May 3, 2024Verizon’s DBIR found that hackers are having a field day exploiting vulnerabilities to gain initial access. Plus, a CISA program is helping critical infrastructure organizations prevent ransomware attacks. In addition, check out what Tenable’s got planned for RSA Conference 2024. And get the latest on the Change Healthcare breach. And much more!
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
May 14, 2024Microsoft addresses 59 CVEs in its May 2024 Patch Tuesday release with one critical vulnerability and three zero-day vulnerabilities, two of which were exploited in the wild.
Tenable Cloud Security Study Reveals a Whopping 95% of Surveyed Organizations Suffered a Cloud-Related Breach Over an 18-Month Period
May 14, 2024The finding from the Tenable 2024 Cloud Security Outlook study is a clear sign of the need for proactive and robust cloud security. Read on to learn more about the study’s findings, including the main challenges cloud security teams face, their strategies for better protecting their cloud infrastructure and the tools they use to measure success.
Shifting the Paradigm: Why the Cyber Insurance Industry Should Focus on Preventive Security
May 13, 2024As claims and losses climb, it’s clear that preventive security should be prioritized more when designing a cyber insurance policy. Here’s why preventive security investments are cost effective and can lead to lower premiums.
- Vulnerability Management