Apache Hadoop Servers Under Siege: ‘Lucifer’ Botnet Emerges as New Threat.

The ‘Lucifer’ botnet has recently set its sights on organizations utilizing Apache Hadoop and Apache Druid big data technologies. This new version of malware combines cryptojacking and distributed denial of service (DDoS) capabilities, making it a potent threat.

The detection of over 3,000 distinct attacks targeting Hadoop and Druid honeypots within the last month suggests an ongoing testing phase by attackers, signaling ominous threats looming ahead.

This new iteration of the Lucifer botnet poses a significant threat to organizations utilizing Apache Hadoop and Apache Druid big data technologies. Known for its malicious capabilities, Lucifer combines cryptojacking with distributed denial of service (DDoS) attacks, amplifying the potential damage it can inflict. With threat actors specifically targeting these platforms, organizations must bolster their defenses and remain vigilant against emerging cyber threats.

Initially reported by researchers at Palo Alto Networks in May 2020, Lucifer emerged as a self-propagating malware with multifaceted functionalities. Palo Alto Networks characterized it as a dangerous hybrid malware capable of facilitating distributed denial of service (DDoS) attacks or deploying XMRig for Monero cryptocurrency mining purposes. Furthermore, observations revealed that attackers leveraged Lucifer to distribute additional malware and exploits, including the NSA’s leaked EternalBlue, EternalRomance, and DoublePulsar, amplifying its threat potential on targeted systems.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” Palo Alto had warned at the time.

Let’s delve into the three unique attack phases employed by the Lucifer botnet:

1. Phase 1: Scanning the Internet for Misconfigured Hadoop Instances:
   • During this initial phase, Lucifer actively scans the internet to identify vulnerable Apache Hadoop instances.
   • It seeks out misconfigurations or security weaknesses in Hadoop clusters.
   • Once a potential target is identified, the botnet moves on to the next phase.
2. Phase 2: Exploiting Misconfigured Hadoop YARN Clusters:
   • In this stage, Lucifer focuses on exploiting a specific component of Hadoop: the Yet Another Resource Negotiator (YARN).
   • YARN is responsible for managing resources and scheduling jobs within the Hadoop ecosystem.
   • The attackers take advantage of misconfigured YARN clusters to gain unauthorized access.
   • By exploiting vulnerabilities, they can execute arbitrary code and potentially compromise the entire cluster.
3. Phase 3: Downloading and executing the Lucifer Malware:
   • The climax of the attack involves deploying the actual Lucifer malware.
   • This malware combines two powerful capabilities:
     • Cryptojacking: It hijacks computing resources to mine cryptocurrencies without the victim’s knowledge.
     • Distributed Denial of Service (DDoS): It can launch coordinated attacks to overwhelm servers or networks.
   • Once the malware is downloaded onto the compromised Hadoop instance, it can wreak havoc by engaging in both cryptojacking and DDoS activities.

In the third phase, the attacker switched tactics and, instead of targeting misconfigured Apache Hadoop instances, began looking for vulnerable Apache Druid hosts instead. Aqua’s version of the Apache Druid service on its honeypot was unpatched against CVE-2021-25646, a command injection vulnerability in certain versions of the high-performance analytics database. The vulnerability gives authenticated attackers a way to execute user-defined JavaScript code on affected systems.

Mitigation Steps:

1. Patch and Update:
   • Regularly update and patch your Apache Hadoop and Apache Druid installations.
   • Address known vulnerabilities promptly to prevent exploitation.
2. Configuration Hardening:
   • Review and secure configurations for Hadoop and Druid.
   • Ensure that access controls, authentication mechanisms, and network settings are properly configured.
   • Disable unnecessary services and ports.
3. Network Segmentation:
   • Isolate Hadoop and Druid clusters from other critical systems.
   • Implement network segmentation to limit lateral movement.
4. Monitoring and Anomaly Detection:
   • Deploy intrusion detection systems (IDS) and security information and event management (SIEM) solutions.
   • Monitor network traffic, system logs, and user behavior for signs of compromise.
5. Access Control and Authentication:
   • Enforce strong authentication mechanisms.
   • Limit access to authorized users only.
   • Implement role-based access controls (RBAC).
6. Regular Security Audits:
   • Conduct periodic security audits to identify misconfigurations and vulnerabilities.
   • Test your defenses against potential attacks.
7. Incident Response Plan:
   • Develop an incident response plan specific to Hadoop and Druid environments.
   • Define roles, responsibilities, and communication channels.
   • Be prepared to respond swiftly in case of an attack.

Remember, proactive measures are crucial to thwart Lucifer’s fiery intentions! 

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.