The Mirai malware which infects Linux-based IoT devices to form large-scale DDoS botnets has recently been discovered infecting commercial-grade Linux servers, according to a recent report from Netscout.
Commercially-hosted linux servers have significantly more network bandwidth and could be used to launch far more damaging Denial-of-Service (Dos) attacks against other Internet-based hosts. Exploiting a vulnerability in the Hadoop YARN API, the Mirai malware is able to infect some Linux servers, using the vulnerability to propagate around other hosts and networks.
The Unauthenticated Command Execution vulnerability in Hadoop YARN was first discovered in March 2018 and allows an attacker with network-level access to the RESTful API of a Hadoop server to execute commands without being authenticated. In most cases, this allows for full, system compromise and allows the Mirai malware to be delivered onto the affected host as a malicious payload. Once infected, the Mirai malware exploits the same vulnerability on other affected hosts to continue propagating.
The Hadoop YARN vulnerability is a relatively simple command injection flaw which allows the attacker to execute arbitrary shell commands. YARN (Yet Another Resource Negotiator) is a core component of Enterprise Hadoop and is used for cluster resource management which enables multiple data processing engines to handle data stored on a single platform. YARN exposes a RESTful API to allow remote services to submit new applications to the cluster and it is a flaw in this API which is being exploited.
System Administrators responsible for Hadoop installations should check their Linux servers are not visible to the Internet or untrusted network segments and restrict access to the Hadoop API so that it is only accessible to trusted clients. Regular vulnerability assessments and penetration testing will help ensure unpatched vulnerabilities or network configuration errors are not exposing your systems to attack or allowing your resources to be leveraged to attack a third-party.
Further information on Mirai malware and the Hadoop YARN vulnerability can be found at the following URLs: