DemonBot Malware Targets Apache Hadoop Servers Using Available Exploit Code
New DemonBot malware uses Apache Hadoop exploit also used by XBash to launch exploitation attempts at a rate of one million a day to facilitate widespread DDoS.
Contexte
Researchers at Radware recently blogged about the discovery of a new piece of malware, dubbed DemonBot, used by attackers targeting Apache Hadoop servers. These servers are vulnerable to a Yet Another Resource Negotiator (YARN) exploit that was first reported in 2016. Exploit code has been publicly available since March 2018, and attackers have leveraged it to implant Xbash malware in September 2018.
Impact assessment
Radware’s Threat Research Center says they’ve identified over 70 active exploit servers launching exploitation attempts at a rate of “one million per day” in an effort to implant DemonBot.
Malware details
DemonBot is a distributed denial-of-service (DDoS) botnet similar to other DDoS botnets like Mirai. Unlike Mirai, DemonBot does not exhibit worm-like behavior, instead spreading by way of centralized servers.
DemonBot supports commands to launch User Datagram Protocol (UDP) (randomized) or Transmission Control Protocol (TCP) based DDoS attacks and a STD (UDP fixed payload) attack. It also supports what is called a STOMP command, which launches a sequential attack from STD to UDP to TCP.
Radware researchers also note that while DemonBot currently does not target Internet of Things (IoT) devices, it is “binary compatible with most known IoT devices, following the Mirai build principles.”
Urgently required actions
It is strongly advised that those operating Apache Hadoop clusters restrict access to the YARN WebResource Manager by configuring access control policies and limiting incoming traffic to the specified port for the WebResource Manager.
Identification des systèmes affectés
A list of Nessus® plugins to identify vulnerable Apache Hadoop servers can be found here.
Additionally, our Linux Malicious Process Detection plugin will detect the malware associated with DemonBot.
Où trouver plus d'informations
- New DemonBot Discovered
- Hadoop safari: Hunting for vulnerabilities
- ‘DemonBot' Botnet Targets Hadoop Servers
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Articles connexes
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Vulnerability Management