Attackers looking to increase the denial-service-power of their botnet have set their sights on servers with vulnerable Hadoop installations, compromising them via publicly available exploits.
Choosing such powerhouses for something that is typically accomplished by smart devices these days may seem like a weird idea, but the truth is that Hadoop servers are stable platforms and could replace a high number of less-capable devices.
The botnet received the name DemonBot and since late September it has grown from using a few servers to 70 servers this week that actively search the web for vulnerable Hadoop installations and compromise them.
Cybersecurity company Radware tracking DemonBot noticed an increase in its activity to over one million daily exploitation attempts.
Although researchers know the number of scanning systems, these are just the “recruiting” part of the botnet or the “central servers” as the Radware calls them. The bots are silent until the moment of the distributed denial-of-service (DDoS) attack.
“The DDoS attack vectors supported by DemonBot are UDP and TCP floods,” Radware writes in a blog post today.
Proof-of concept available for months
The botnet leverages an unauthenticated remote code execution vulnerability in the Yet Another Resource Negotiator (YARN) module used in enterprise networks for cluster resource management and job scheduling.
Proof-of-concept code demonstrating the security flaw has been freely available on GitHub since March this year.
It appears that the cause of all trouble is a misconfiguration in YARN, which exposes a REST API and allows a remote application to add new applications to the cluster. Taking advantage of this oversight, the attackers choose to submit the DemonBot malware.
Mirai-like, but not quite
Radware says that malware code from servers that are currently offline referenced a Mirai variant known as Owari. However, the researchers found sufficient evidence to label DemonBot as a new botnet, due to unfamiliar function names and a unique fingerprint in the code.
They soon discovered the complete source code for the botnet on Pastebin, from someone using the alias Self-Rep-NeTiS, along with the source code for the command and control (C2) server and the script for creating multi-platform bots.
At the beginning of the month, NewSky Security researcher Ankit Anubhav spotted the same YARN security bug being exploited by a botnet that appeared to be related to Sora botnet, a strain a Mirai.
— Ankit Anubhav (@ankit_anubhav) October 1, 2018