Hadoop administrators beware: There is a botnet that is actively looking for unsecured Hadoop systems.
Security firm Radware first disclosed the DemonBot botnet in a report on Oct. 25, revealing that the botnet is taking specific aim at Hadoop systems. According to Radware’s analysis, there are more than 70 active exploit servers that are spreading DemonBot. The DemonBot attack is not a worm attack that spreads from one host to the next, but rather it spreads from a central server.
“Given the size of Hadoop servers, we expect some very capable servers with good connectivity, so the attacks might be considerably large,” Pascal Geenens, EMEA cyber-security evangelist for Radware, told eWEEK.
Botnet operators look to infect unsuspecting systems in an effort to enlist them into the botnet, which is then used to launch other malicious activities. Some botnets, like the Mirai IoT botnet that first began infecting systems in late 2016, actively scan for vulnerable systems in an attempt to accelerate exploitation, but that’s not the case with DemonBot.
“Since DemonBot does not expose any scanning behavior, it does not make noise like traditional IoT botnets that use distributed scanning,” Geenens said. “Hence, it is not possible for us to map out the location of infected servers without resorting to illegal access of the command and control servers.”
Geenens added that Radware is now gathering more data by identifying potentially vulnerable servers and will cross-correlate with the distributed denial-of-service (DDoS) attack information from Radware’s Cloud DDoS service in order to determine scope and impact. While there is the potential that DemonBot could be used for large-bandwidth DDoS attacks, He noted that Radware isn’t only concerned about the really large attacks. Rather, the concern is for the daily attacks, which might not be record breaking in terms of attack volume but are still impactful for many organizations.
“Most of the customers are easily saturated with attacks starting at just a couple of Gbps,” Geenens said. “A botnet of just 2G bps is a powerful weapon that can cause a lot of damage. It does not have to be 1T-bps+ botnet.”
Geenens explained that any Hadoop cluster with YARN (Yet Another Resource Manager) enabled and exposed on the internet through port 8088 is potentially at risk from DemonBot. YARN provides application and cluster management capabilities for Hadoop big data deployments.
While DemonBot has been built to enable a DDoS botnet, Geenens said it’s not the first botnet to exploit the Hadoop YARN vulnerability. On Sept.17, researchers from Palo Alto Networks Unit 42 reported on the Xbash campaign that exploited the same vulnerability, but instead of DDoS, that bot carried cryptomining and ransom payloads.
Radware was able to discover the DemonBot through the use of a deception network. Geenens said the deception network consists of several layers, with the first layer monitoring attacks on any port and for any service but does not respond to queries.
“Once we detected the pattern, we investigated the origin of the request,” he said. “Based on the POC [proof of concept] code for the vulnerability, we set up a dummy service that listens on port 8088 and replies to queries for YARN new-application with an application-id, at which point the exploit server makes a second request with the command and the location of the malware.”
Geenens added that the Radware deception network is not running any real services. Rather, Radware has several medium interaction honeypots that listen on different ports and simulate real devices.
There is a relatively simple method for organizations to secure themselves against being drawn into the DemonBot botnet. Geenens said it is imperative that organizations secure access to YARN.
“If there is no need to have YARN exposed on the internet, do not expose it,” he said. “If you need to expose it for some reason, do so with care and protect it using authentication and strict permissions. It is, after all, a web API, and there are many ways to secure access to web APIs through API gateways.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.