A new malware campaign, dubbed “Spinning YARN” by cloud security company Cado, is targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services. The campaign aims to deliver a cryptocurrency miner and establish persistent remote access through a reverse shell.
According to Cado security researcher Matt Muir, threat actors exploit common misconfigurations and N-day vulnerabilities to execute Remote Code Execution (RCE) attacks and infect new hosts. The attackers deploy novel Golang payloads capable of automating the identification and exploitation of susceptible services, including Confluence, Docker, Hadoop YARN, and Redis.
The attackers leverage masscan or pnscan to search for vulnerable services. Once access is gained, the attackers spawn containers in Docker environments and escape onto the underlying hosts. Subsequently, additional tools are deployed to install rootkits, conceal malicious processes, drop a reverse shell utility, and launch the XMRig cryptocurrency miner.
The campaign demonstrates attackers’ significant investment in understanding web-facing services in cloud environments and exploiting reported vulnerabilities. This development coincides with Uptycs’ revelation of the 8220 Gang’s exploitation of known security flaws in Apache Log4j and Atlassian Confluence Server and Data Center as part of assaults targeting cloud infrastructure.
The attackers prioritize stealth and evasion by exploiting unpatched vulnerabilities, disabling security enforcement, modifying firewall rules, and removing cloud security services to evade detection. The attacks target both Windows and Linux hosts, deploying cryptocurrency miners after ensuring persistent access.