Mirai DDoS baddies take enterprise Linux servers over consumer routers

Two years after the chaotic Mirai botnet blocked access to major websites using hacked consumer routers and other IoT devices, a new variant is taking aim at x86 Linux servers in the enterprise. 

Arbor Networks says it’s seen rise in exploit attempts against Linux servers running Hadoop YARN (Yet Another Resource Negotiator), a resource manager used in Hadoop-based big data platforms in the enterprise. 

The attempted attacks on x86 Linux servers are the first instance of a Mirai variant targeting plain old servers rather than IoT devices, according to Arbor Networks’ Mathew Bing. 

A key advantage of targeting Linux servers in enterprise datacenters is that they’ve got much more bandwidth than consumer IoT devices, and hence are a much more powerful tool for deploying distributed denial of service (DDoS) attack to overload targets with traffic. Only now the attackers need fewer infected machines.

The characteristics of the attack are different from past IoT variants too. Rather than relying on compromised devices to automatically spread to other vulnerable devices, it appears a small group of attackers are manually scanning the internet for vulnerable instances of Hadoop YARN to deliver Linux malware.  

The rise in YARN attacks follows the publication of proof-of-concept code for a YARN vulnerability in March. The bug is a command injection flaw that allows an attacker to execute arbitrary shell commands. 

Security firm Radware observed the same vulnerability being used exclusively against x86 Hadoop servers to install the DemonBot DDoS. In late October Radware was tracking about 70 exploit servers that were persistently attempting one million attacks per day on YARN servers for the entire month. 

Both companies have observed a decline in attack levels, but the rate remains significant nonetheless. Radware last week was seeing 350,000 exploit attempts per day and had identified 1,065 servers as exposed and vulnerable. Attacks against servers in the US and UK accounted for over half of all attack attempts. 

Radware also noted that the attackers were not just aiming to install DDoS malware, but also backdoors, cryptocurrency miners. While DDoS attacks might not directly impact the organization with vulnerable servers, cryptocurrency miners can through increased computer utilization and higher energy bills. 

Despite relatively few exposed servers, Radware’s Pascale Greenens argued for caution because big data servers offered attackers a powerful weapon.