Cyber criminals who used a botnet malware that took large parts of the internet offline in 2016 are now abusing Linux servers at scale.
Mirai, an open source malware, was conventionally used to target Internet of Things (IoT) devices like wireless cameras and routers. Malicious actors infamously used Mirai to construct a botnet that led to a devastating distributed denial of service (DDoS) attack against major online platforms.
But researchers have found evidence that certain strains are now targeting Linux servers, with a handful of attackers using custom tools to exploit a Hadoop YARN vulnerability and deliver malware instead of relying on bots to spread.
This is the first time security researchers have spotted non-IoT Mirai "in the wild", according to Network performance management firm Netscout.
"Mirai is no longer solely targeting IoT devices. While the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it's much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices," said Netscout researcher Matthew Bing.
"The limited number of sources we've seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers. Their goal is clear - to install the malware on as many devices as possible."
YARN (Yet Another Resource Negotiator) is a technology deployed as a resource management and job scheduling system for Apache Hadoop. It's responsible for allocating system resources to various applications running a Hadoop cluster, as well as scheduling tasks to execute on different nodes.
The vulnerability manifests as a command injection flaw that allows an attacker to execute arbitrary shell commands and resembles many flaws seen in IoT devices. It's for this reason Mirai attackers see Linux servers as a viable target.
His team's global network of 'honeypot' servers of recorded tens of thousands of attempts to exploit the vulnerability per day, indicating the flaw is being abused "at scale", with attackers sending exploits to as many vulnerable servers as they possibly can.
"Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords," Bing continued.
"What's different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers."
Data centre-based Linux servers present a greater opportunity to launch DDoS attacks as they have more bandwidth than IoT devices, he explained, with attackers able to build a powerful botnet from just a handful of servers.
Mirai was behind one of the most disruptive DDoS attacks the world has sustained, with cyber criminals sending tens of millions of access requests to domain name system (DNS) provider Dyn from compromised IoT devices.
Dyn is used by a host of industry giants like Twitter, Spotify and Github to name a few, meaning all these services were taken offline when the DNS provider was targeted.
-
AWS CEO Matt Garman says AI agents are going to have 'as much impact on your business as the internet or cloud'News Garman told attendees at AWS re:Invent that AI agents represent a paradigm shift in the trajectory of AI and will finally unlock returns on investment for enterprises.
-
Amazon S3 just got a big performance boostNews The Amazon S3 Vectors service now scales to two billion vectors per index
-
Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operationsNews The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
-
Blackpoint Cyber and NinjaOne partner to bolster MSP cybersecurityNews The collaboration combines Blackpoint Cyber’s MDR expertise with NinjaOne’s automated endpoint management platform
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Busting nine myths about file-based threatsWhitepaper Distinguish the difference between fact and fiction when it comes to preventing file-based threats
-
The Total Economic Impact™ of the Intel vPro® Platform as an endpoint standardWhitepaper Cost savings and business benefits enabled by the Intel vPro® Platform as an endpotnt standard
-
The Total Economic Impact™ of IBM Security MaaS360 with WatsonWhitepaper Cost savings and business benefits enabled by MaaS360
-
WithSecure Elements EPP and EDR review: Endpoint protection on a plateReviews An affordable cloud-managed solution with smart automated remediation services
-
KuppingerCole leadership compass report - Unified endpoint management (UEM) 2023Whitepaper Get an updated overview of vendors and their product offerings in the UEM market.
