Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining

Crypto Mining

Risk actors are concentrating on misconfigured and weak servers operating Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis providers as a part of an rising malware marketing campaign designed to ship a cryptocurrency miner and spawn a reverse shell for persistent distant entry.

“The attackers leverage these instruments to problem exploit code, profiting from frequent misconfigurations and exploiting an N-day vulnerability, to conduct Distant Code Execution (RCE) assaults and infect new hosts,” Cado safety researcher Matt Muir said in a report shared with The Hacker Information.

The exercise has been codenamed Spinning YARN by the cloud safety firm, with overlaps to cloud assaults attributed to TeamTNT, WatchDog, and a cluster dubbed Kiss-a-dog.

All of it begins with deploying 4 novel Golang payloads which can be able to automating the identification and exploitation of prone Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader utilities leverage masscan or pnscan to hunt for these providers.


“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” Muir defined.

The preliminary entry then paves the best way for the deployment of further instruments to put in rootkits like libprocesshider and diamorphine to hide malicious processes, drop the Platypus open-source reverse shell utility, and in the end launch the XMRig miner.

“It is clear that attackers are investing vital time into understanding the kinds of web-facing providers deployed in cloud environments, conserving abreast of reported vulnerabilities in these providers and utilizing this data to realize a foothold in goal environments,” the corporate stated.

The event comes as Uptycs revealed 8220 Gang’s exploitation of recognized safety flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Information Middle (CVE-2022-26134) as a part of a wave of assaults concentrating on cloud infrastructure from Might 2023 via February 2024.

Crypto Mining

“By leveraging web scans for weak functions, the group identifies potential entry factors into cloud methods, exploiting unpatched vulnerabilities to realize unauthorized entry,” safety researchers Tejaswini Sandapolla and Shilpesh Trivedi said.

“As soon as inside, they deploy a collection of superior evasion methods, demonstrating a profound understanding of how you can navigate and manipulate cloud environments to their benefit. This contains disabling safety enforcement, modifying firewall guidelines, and eradicating cloud safety providers, thereby guaranteeing their malicious actions stay undetected.”

The assaults, which single out each Home windows and Linux hosts, purpose to deploy a cryptocurrency miner, however not earlier than taking a collection of steps that prioritize stealth and evasion.


It additionally follows the abuse of cloud providers primarily meant for synthetic intelligence (AI) options to drop cryptocurrency miners in addition to host malware.

“With each mining and AI requiring entry to giant quantities of GPU processing energy, there is a sure diploma of transferability to their base {hardware} environments,” HiddenLayer noted final 12 months.

Cado, in its H2 2023 Cloud Risk Findings Report, famous that menace actors are more and more concentrating on cloud providers that require specialist technical data to use, and that cryptojacking is not the one motive.

“With the invention of recent Linux variants of ransomware households, comparable to Abyss Locker, there’s a worrying development of ransomware on Linux and ESXi methods,” it said. “Cloud and Linux infrastructure is now topic to a broader number of assaults.”

Notify of
Inline Feedbacks
View all comments
Previous Post
BlackCat Ransomware

BlackCat Ransomware Group Vanishes After $22 Million Payout

Next Post
UAC-0184 Targets Ukrainian Entity in Finland With Remcos RAT

Spoofed Zoom, Google & Skype Conferences Unfold Company RATs

Related Posts