As part of an evolving malware campaign, threat actors are focusing on misconfigured and insecure servers running Redis, Docker, Atlassian Confluence, and Apache Hadoop YARN services. The campaign's goal is to spawn a reverse shell for persistent remote access and deliver a cryptocurrency miner.

According to a study published with The Hacker News by Cado security researcher Matt Muir, "the attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts."

The cloud security business has given the activity the codename Spinning YARN. TeamTNT, WatchDog, and a cluster known as Kiss-a-dog have all been implicated in overlaps with cloud attacks.

The first step is to launch four unique Golang payloads that can automatically find and take advantage of vulnerable Confluence, Docker, Hadoop YARN, and Redis servers. The spreader utilities look for these services using masscan or pnscan.

“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host," Muir said. The first access then makes it possible to use other tools to drop the Platypus open-source reverse shell application, install rootkits like libprocesshider and diamorphine to hide malicious processes, and finally start the XMRig miner.

"It's clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services, and using this knowledge to gain a foothold in target environments," the business stated.

This development coincides with Uptycs' revelation that the 8220 Gang exploited security holes in Apache Log4j, Atlassian Confluence Server, and Data Center, which were all part of a wave of attacks on cloud infrastructure that took place between May 2023 and February 2024.

Security experts Tejaswini Sandapolla and Shilpesh Trivedi said, "By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access. Once inside, they use a variety of sophisticated evasive strategies, exhibiting a thorough comprehension of how to maneuver around and control cloud environments for their benefit. This ensures that their harmful operations stay undiscovered by turning off security enforcement, changing firewall rules, and eliminating cloud security services.”

The assaults target both Windows and Linux computers and are designed to install a cryptocurrency miner after a series of stealthy and evasive actions.

Join our TTB Community on LinkedIn to Stay Up to Date.