Linux servers running Hadoop targeted by variation of Mirai malware

First sighting of Mirai malware targeting enterprise systems

A new variant of Mirai has been spotted in the wild, not targeting devices like CCTV systems, but enterprise Linux servers running Hadoop.

Mirai was devised specifically to take advantage of cheaply made, internet-connected digital video recorders (DVRs) that are used to record CCTV systems.

Taking advantage of the out-dated, unpatched and insecure versions of Linux the devices run, it is capable of compromising the devices and the networks on which they are connected, and harnessing them into a botnet.

Any other internet-connected devices running outdated versions of Linux can also be compromised by Mirai.

Unpatched Linux servers linger on the network and are being abused at scale by attackers sending exploits to every vulnerable server they can find

The malware was discovered by specialists at network performance management software company Netscout. They said that they observed at least a dozen Mirai variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.

This has led them to believe that hackers are now shifting their focus from IoT devices to commodity Linux servers. Nation-state hackers could also be behind the new variants.

"Like many IoT devices, unpatched Linux servers linger on the network and are being abused at scale by attackers sending exploits to every vulnerable server they can find," Netscout researcher Matthew Bing said in a blog post.

"[We have] been monitoring exploit attempts for the Hadoop YARN vulnerability in our honeypot network and found a familiar, but surprising payload - Mirai."

These versions of Mirai behave much like the original but are tailored to run on Linux servers and not underpowered IoT devices, Bing said.

"While [we have] previously published observations of Windows Mirai, this is the first time we've seen non-IoT Mirai in the wild."

He added that Mirai botmasters that target Linux servers no longer need to tailor their malware for strange architectures, they assume their targets are using x86, and rather than rely on the bots to propagate, the attackers have shifted their tactics to issuing exploits themselves.

"A relatively small number of attackers are using custom tools to exploit the Hadoop YARN vulnerability and deliver Linux malware," he added. "Even if the victim Hadoop YARN server is not running the telnet service, the Mirai bot will attempt to brute-force factory default credentials via telnet."

Linux servers in data centres have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots. A handful of well-resourced Linux servers can generate DDoS attacks that compete with a much larger IoT botnet.

Bing concluded that Mirai is no longer solely targeting IoT devices, and while the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it's actually much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices.

"The limited number of sources we've seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers," he explained.

"Their goal is clear - to install the malware on as many devices as possible. Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords."

He noted that the difference now is that the Linux servers being targetd are sitting on corporate networks, making the threat many times greater than it was two years ago.