A NewSky Security researcher has discovered a new botnet that exploits unprotected Apache Hadoop servers. The network places bots on vulnerable servers to be used for DDoS attacks in the future. That’s what ZDNet reports.
The botnet initially consisted of a few command and control servers, states cybersecurity company Radware. But that botnet has now grown to more than seventy servers. The servers must scan the Internet for Hadoop installations that use an incorrectly configured YARN module.
YARN stands for Yet Another Resource Negotiator and is a core component of Hadoop’s data processing framework, which is often used in large enterprise networks and cloud computing environments. If the network called DemonBot finds a possible victim, it tries to take advantage of that wrong configuration to install a bot process on the Hadoop system.
According to Radware, DemonBot has grown tremendously in the past month and is now trying to exploit 1 million YARN configurations per day. “Unfortunately, we don’t have a total number of actually infected Hadoop servers,” says Pascal Geenens from Radware. “Bots aren’t scanning or exploiting vulnerabilities, so they don’t generate traffic that we can detect and map.”
Skids
Another question that arises is why this botnet infects servers with high recourses like Hadoop with DDoS bots, instead of installing malware to ignore cryptographic currency. That would bring in more money and create fewer legal problems.
According to Radware, this seems to be the work of so-called “skids”. Skids are creators of malware that use botnets and malware using ready-made scripts that are for sale, use little security and have no long-term plan.
According to Ankit Anubhav of NewSky Security, the botnet also seems to have ties with the makers of the Sora botnet. These creators were also responsible for the creation of various other botnets, including Owari, Wicked, Omni, Anarchy and others. All those botnets were used for DDoS attacks.
The security companies recommend that server administrators review their YARN configurations to prevent any problems from being exploited by the botnet.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.