A coordinated cyber compromise campaign, dubbed “Spinning YARN,” is targeting cloud servers running vulnerable instances of Apache Hadoop, Atlassian Confluence, Docker, and Redis. Attackers are exploiting common misconfigurations and a known remote code execution (RCE) vulnerability in Confluence server (CVE-2022-26134) to deploy cryptomining tools and install a Linux-based reverse shell for potential future targeting and malware infestations.
Vulnerability Details:
- CVE-2022-26134: An RCE vulnerability in Confluence server exploited by the attackers.
- Common Misconfigurations: The campaign exploits well-known misconfigurations in platforms like Redis and Docker.
Attack Tactics:
- The attackers use automated, hard-coded tactics to exploit known vulnerabilities and misconfigurations.
- The campaign involves initial access via scanning for vulnerable instances, followed by exploitation.
- Multiple Golang binaries are used to automate the discovery and compromise of servers running the targeted cloud platforms.
- The attack chain includes disabling firewalls, deleting shell history, installing rootkits for obfuscation, and deploying Platypus for persistence, along with the XMRig cryptominer for Monero.
Mitigation:
- Ensure systems are patched, particularly for the known Confluence vulnerability.
- Address common misconfigurations to prevent exploitation.
- Monitor for unusual activity indicative of the outlined attack techniques.
Threat Actors:
- The tactics overlap with those of known threat groups TeamTNT and WatchDog, which target cloud and container environments.
Implications:
- The campaign highlights the ongoing focus of threat actors on exploiting vulnerabilities and misconfigurations in web-facing services in cloud environments.
- The use of a multistage attack chain and anti-forensic measures indicates a sophisticated approach to maintaining access and evading detection.
Recommendations:
- Regularly update and patch all cloud services and software.
- Conduct thorough configuration reviews to identify and rectify potential misconfigurations.
- Implement robust monitoring and detection capabilities to identify signs of compromise early.
Conclusion:
The “Spinning YARN” campaign underscores the importance of maintaining strong security postures in cloud environments, with particular attention to patching known vulnerabilities and addressing common misconfigurations. Organizations should remain vigilant and proactive in their security measures to defend against such sophisticated attacks.
