Mirai Used as Payload in Hadoop YARN Vulnerability

A Mirai variant has been discovered targeting unpatched Linux servers, shifting the use of the malicious payload beyond the internet of things (IoT), according to new research from NETSCOUT ASERT.

Using their honeypot network to monitor the tens of thousands of daily exploit attempts for the Hadoop YARN vulnerability, Arbor’s Security Engineering and Response Team (ASERT) researchers surprisingly found the all-too-familiar Mirai payload.

“Mirai botmasters have found they can target Linux servers just as easily as IoT devices. They attack the servers themselves rather than rely on the bots to propagate, since servers tend not to move around the network or get powered down,” said Matt Bing, security research analyst at NETSCOUT.

“Servers make an attractive target for DDoS bots for their network speed and hardware resources, compared to relatively underpowered IoT devices. What we’ve seen is Linux servers being conscripted to the same botnets as IoT devices. In the future we can expect more DDoS botnets with both infected IoT devices and Linux servers, like an army of foot soldiers being supported by tanks.”

Tailored to run on Linux servers, the new variant of Mirai exhibited similar behaviors to those of the original version. This discovery marks the first time ASERT has seen Mirai used to exploit non-IoT systems in the wild.

“Rather than rely on the bots to propagate, the attackers have shifted their tactics to issuing exploits themselves. A relatively small number of attackers are using custom tools to exploit the Hadoop YARN vulnerability and deliver Linux malware,” Bing wrote.

The vulnerability leverages a command injection flaw, enabling the execution of arbitrary shell commands, a vulnerability used last month to install the DemonBot DDoS bot, according to the researchers.

Given that Linux servers have access to greater bandwidth than IoT devices running on the networks, the Mirai bots reportedly act as more efficient DDoS bots, capable of executing attacks that compete with a much larger IoT botnet.

Articles You May Like

GitHub Repositories Hit by Password-Stealing Commits Disguised as Dependabot Contributions
Cloaked manages your logins with proxy emails, phone numbers and a built-in password manager
Microsoft’s Bing AI Faces Malware Threat From Deceptive Ads
Tinder goes ultra-premium, Amazon invests in Anthropic and Apple explains its new AirPods
VW bails on its plan for a $2.1B EV plant in Germany

Leave a Reply

Your email address will not be published. Required fields are marked *