By Oleg Kolesnikov of the Securonix Threat Research Team
The Securonix Threat Research Team has been actively investigating and closely monitoring persistent malicious attacks impacting exposed cloud and server infrastructure and has been detecting an increase in the number of automated attacks targeting exposed cloud infrastructure, Hadoop, and YARN instances.
Some of the attacks observed – for example, Moanacroner (a variant of Sustes ) – are fairly trivial, targeted single-vector/single-platform attacks where the focus is mainly on cryptomining. Some attacks, however, are multi-vector/multi-platform threats where multiple functionalities – including cryptomining, ransomware, and botnet/worms for both Linux and Windows – are combined as part of the same malicious threat (for example, XBash).
It is important to take the details/TTPs of these prevalent attacks into consideration when defining the processes and requirements needed to secure your cloud infrastructure and the types of resources that can potentially be impacted.
To prevent or mitigate these attacks, we recommend the following:
- Continuously review your cloud infrastructure services’ exposure to the internet, including Hadoop/YARN, Redis, and ActiveMQ, and restrict access whenever possible to reduce the potential attack surface. Also, consider leveraging a centralized patch management system.
- Consider implementing Redis in protected mode.
- Implement strong password policies for your services mentioned above as some of the malicious threat actors described, such as Xbash, use password brute-force to propagate.
For more information, see the report: “Securonix Threat Research: Detecting Persistent Cloud Infrastructure/ Hadoop/YARN Attacks Using Security Analytics: Moanacroner, XBash, and Others”