Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/21/2018
01:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Mirai Evolves From IoT Devices to Linux Servers

Netscout says it has observed at least one dozen Mirai variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.

Researchers from Netscout Alert have discovered what they believe are the first non-IoT versions of Mirai malware in the wild.

The new versions are very similar in behavior to the original version of Mirai written for Internet of Things devices, but they are tailored to run on Linux servers instead. Unlike the original Mirai, the new versions do not try and propagate in a worm-like fashion. Instead, attackers are delivering them via exploits in a more targeted manner.

Netscout researchers say they have observed what appears to be a relatively small number of threat actors attempting to deliver the malware on Linux servers by exploiting a recently disclosed vulnerability in Hadoop YARN. The YARN vulnerability is a command injection flaw that gives attackers a way to remotely execute arbitrary shell commands on a vulnerable server. Many of the servers running Hadoop YARN are x86-based.

Netscout has been tracking attempts to exploit the flaw using its global network of honeypots. It says it has observed tens of thousands of exploit attempts daily. In November alone, Netscout observed attackers attempting to deliver some 225 unique malicious payloads via the Hadoop YARN vulnerability.

Of that, at least one dozen of the malware samples were Mirai variants. One was a variant that labeled itself as VPNFilter, though it had nothing to do with the destructive VPNFilter bot that infected more than a half-million small and home office routers earlier this year, the security vendor said.

Unlike typical Mirai IoT variants, which first try and determine a victim machine's CPU architecture to deliver a suitable executable, the Mirai variant that Netscout inspected recently only delivers the x86 variant of the bot. "This version assumes the Hadoop YARN service is running on a commodity x86 Linux server," Netscout says in its report. "Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords."  

Matthew Bing, a security research analyst at Netscout, says the main takeaway for organizations is that threat actors who were once focused on exploiting IoT devices are now also targeting vulnerable Linux servers with the same types of bots. "Servers make an attractive target for DDoS bots for their network speed and hardware resources, compared to relatively underpowered IoT devices," Bing says.

The sources that are launching the attacks appear to be operating across a variety of different countries and networks with little overlap between them. "That suggests this is the work of at least a few groups or individuals," he says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-1303
PUBLISHED: 2021-01-20
A vulnerability in the user management roles of Cisco DNA Center could allow an authenticated, remote attacker to execute unauthorized commands on an affected device. The vulnerability is due to improper enforcement of actions for assigned user roles. An attacker could exploit this vulnerability by...
CVE-2021-1304
PUBLISHED: 2021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not autho...
CVE-2021-1305
PUBLISHED: 2021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not autho...
CVE-2021-1312
PUBLISHED: 2021-01-20
A vulnerability in the system resource management of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) to the health monitor API on an affected device. The vulnerability is due to inadequate provisioning of kernel parameters f...
CVE-2021-1349
PUBLISHED: 2021-01-20
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected system. The vulnerability is due to insufficient input validation by the web-based management interf...