Security
Headlines
HeadlinesLatestCVEs

Headline

New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

By Deeba Ahmed Another day, another Linux malware! This is a post from HackRead.com Read the original post: New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

HackRead
#vulnerability#web#linux#ddos#apache#redis#nodejs#rce#botnet#vmware#auth#docker

Linux Users Beware: “Spinning YARN” Malware Campaign Targets Misconfigured Servers Running on Apache Hadoop YARN, Docker, Confluence and Redis.

Cado Security Labs has discovered an emerging Linux malware campaign dubbed Spinning Yarn targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, and Redis web-facing services.

The emergence of the new Linux malware shouldn’t come as a surprise, given the recent surge in threats targeting Linux devices and servers. Just a couple of days ago, an old Linux malware known as Bifrost RAT resurfaced with a new variant that mimics VMware domains.

According to Cado Security’s research research shared with Hackread.com ahead of publication on Wednesday, Spinning Yarn is a malicious campaign that exploits weaknesses in popular Linux software used by businesses across various sectors.

These services are crucial components in organizations’ IT infrastructure. Docker is critical for developing, deploying, and managing containerized applications. Apache Hadoop allows distributed processing of large datasets. Redis, a widely used in-memory data store, helps in caching real-time applications, and Confluence allows collaboration and knowledge management.

By compromising these applications, attackers can gain unauthorized access to systems, steal sensitive data, disrupt operations, or deploy ransomware, posing a significant threat to servers and critical infrastructure.

In Spinning Yarn, threat actors have used several unique payloads, including four Golang binaries that automate the discovery and infection of hosts and let them exploit code. They use Confluence to exploit common misconfigurations and vulnerabilities, launching Remote Code Execution (RCE) attacks and infecting new hosts.

The attackers exploit CVE-2022-26134, an n-day vulnerability in Confluence, and deploy a container for the Docker compromise. The vulnerability has been exploited since 2022, including by Mirai malware variant V3G4 against IoT devices for DDoS attacks

Further probing revealed a series of shell scripts and standard Linux attack techniques used to deliver a cryptocurrency miner, spawn a reverse shell, and enable persistent access to compromised hosts. They also deploy an instance of the Platypus open-source reverse shell utility to maintain access.

In an attempt to evade detection, multiple user-mode rootkits are deployed. Researchers observed that the shell script payloads employed in this campaign share similarities with those used in previous cloud attacks.

In their blog post, Cado Security Labs detailed initial access activity on a docker Engine API honeypot on this IP address: 47966971. The attacker spawned a new container using Alpine Linux and created a bind mount for the underlying server’s root directory. This technique is common in Docker attacks, allowing attackers to write files to the host and execute a job for the Cron scheduler eventually achieving RCE.

In this campaign, the attacker wrote an executable and registered a Cron job to execute base64-encoded shell commands. Such extensive attack on Linux applications demonstrates attackers’ growing sophistication in targeting web-facing services in cloud environments, keeping abreast of vulnerabilities.

To mitigate the risks from campaigns like Spinning Yarn, regularly update software, enable strong passwords, educate employees on cybersecurity best practices, segment your network to limit potential damage, and deploy security solutions like endpoint security solutions and firewalls to detect and prevent malware infections. This will help protect against known vulnerabilities and ensure a secure environment.

  1. New Linux Malware “Migo” Exploits Redis for Cryptojacking
  2. Free Download Manager Site Pushed Linux Password Stealer
  3. Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack
  4. Hamas Hackers Hit Israelis with New BiBi-Linux Wiper Malware
  5. Mirai-based NoaBot Botnet Hits Linux Systems with Cryptominer

Related news

Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

By Waqas The V3G4 malware was caught leveraging several vulnerabilities in IoT devices to spread its infection from July to December of 2022. This is a post from HackRead.com Read the original post: Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

Microsoft is warning of an uptick in the nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments. The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability," making it imperative that

Microsoft Warns on Zero-Day Spike as Nation-State Groups Shift Tactics

The software giant also recorded an increase in attacks on IT services companies as state-backed threat actors have adapted to better enterprise defenses and cast a wider net, Microsoft says.

Patch Now: Atlassian Confluence Bug Under Active Exploit

Attackers almost immediately leapt on a just-disclosed bug, CVE-2022-26138, affecting Atlassian Confluence, which allows remote, unauthenticated actors unfettered access to Confluence data.

Critical Bugs Threaten to Crack Atlassian Confluence Workspaces Wide Open

A hardcoded password associated with the Questions for Confluence app has been publicly released, which will likely lead to exploit attempts that give cyberattackers access to all Confluence content.

You Need to Update Windows and Chrome Right Now

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

DragonForce Gang Unleash Hacks Against Govt. of India

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

Atlassian Confluence Namespace OGNL Injection

This Metasploit module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.

CVE-2022-26134: [CONFSERVER-79016] Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover

An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.