Revenge of the DevOps Gangster: Open Hadoop Installs Wiped Worldwide

Wednesday, January 18, 2017
Earlier this month, security news media reported attackers holding internet-exposed MongoDB and Elasticsearch databases for ransom. Attackers said

Earlier this month, security news media reported attackers holding internet-exposed MongoDB and Elasticsearch databases for ransom. Attackers said they’d return the data if they got paid -- otherwise, the data would be erased. In many reported instances, attackers simply deleted the data. Unfortunately, more attacks are underway.

Last week, Fidelis Cybersecurity Threat Research observed similar attacks on Internet-facing Hadoop Distributed File System (HDFS) installations. Like the MongoDB and Elasticsearch incidents, attackers would erase all the data on the system. To make matters worse, we confirmed additional attacks on HDFS instances worldwide.

For these events, attackers are leveraging a logical blend of key technology trends:

  • Minimal security. Many new "big-data" database solutions introduced over the past decade include minimal native authentication and security. It's expected that implementers will handle these vital security functions separately. But many times they do not.
  • Mandatory internet access. A number of these solutions are available within the platform-as-a-service (PaaS) model, which must be accessed via the internet. Undoubtedly, numerous managed instances are also directly exposed to the internet. Researchers such as John Matherly have been talking about the risks of such exposed installations for some time.
  • Denial of access. A few years ago, the consequences of exposed data included theft and resale on the underground. We're now seeing ransomware and outright deletion – a 'denial of access' to the user's data. While attackers are targeting end users with ransomware, it's also being effectively deployed against enterprises and their services in the past 18 months.

These factors have combined in attacks against Mongo and Elasticsearch instances in the past few weeks. The purpose of this post is to make the security community aware of similar incidents involving Hadoop delivered by service providers.


Example HDFS Site where data has been wiped


In this case, we observed an attacker erasing most of the directories and creating a single directory called “NODATA4U_SECUREYOURSHIT”.  There was no attempt to claim a ransom or any other communication -- the data was simply deleted and that directory name was left as a calling card. We estimate that the potential exposure of this attack is around 8,000-10,000 HDFS installations worldwide, but precise numbers are difficult to determine.

A core issue is similar to MongoDB, namely the default configuration can allow “access without authentication.” This means an attacker with basic proficiency in HDFS can start deleting files. On or around January 5 to January 6, traffic to port 50070 soared as attackers scanned for open HDFS installations to target: 


  Port 50070 traffic from the SANS Internet Storm Center


Port 50070 Traffic Graph from Qihoo 360

Port statistics from the SANS Internet Storm Center (above) and the Qihoo 360’s Netlab (below) show a significant spike in traffic when this attack occurred on January 5-6. Qihoo shows this almost exclusively from a single Chinese IP of However, it's important not to jump to conclusions about the attacker's location simply by looking at an IP address. Attackers use infrastructure all over the world to hide their identities. Coincidently, the second highest scanner  is adjacent to our suspect,

A quick scan using Shodan shows just how prevalent exposed HDFS installations are. In many cases, installations also lack authentication. In researching this post, the screen capture was taken  from the initial few hits showing those sites had been wiped.  It’s unclear what the motivation of the attacker is, but it seems like this was an intentional “security awareness training” exercise, albeit a criminal one.

So what can you do to prevent these attacks?

  • First, avoid having HDFS on internet-facing connections. If that's not possible, use built-in methods that require authentication and only use the HTTPS versions of these web services.
  • Second, remember that no authentication is required by default, so if anything running HDFS connects to the internet, the entire world has access to your data.
  • Third, brush up on attacker tools. Check out some of the freely available Hadoop attack tools, like the Hadoop-attack-library, that make these kinds of attacks easy (note, we found no evidence this specific tool was used in this case).


"Big data" databases are often consumed as a service from third parties or installed and managed from cloud assets. Any database service directly exposed to the internet without adequate authentication is at risk. Exposed data will be stolen, encrypted and/or erased.

Service providers should implement strong authentication and access isolation. Users of such services should assess these protective measures before entrusting their data to these services. Always back up data using a robust monitoring program to detect and respond to instances in the event unauthorized access occurs.

 -- Fidelis Threat Research Team

Fidelis Threat Advisory #1021: The Turbo campaign, featuring Derusbi for 64-bit Linux

Tuesday, March 1, 2016
In the summer of 2015, Fidelis Cybersecurity had the opportunity to analyze a Derusbi malware sample used as part of a campaign we’ve labeled

In the summer of 2015, Fidelis Cybersecurity had the opportunity to analyze a Derusbi malware sample used as part of a campaign we’ve labeled Turbo, for the associated kernel module that was deployed. Derusbi has been widely covered and associated with Chinese threat actors. This malware has been reported to have been used in high-profile incidents like the ones involvingWellpoint/Anthem, USIS and Mitsubishi Heavy Industries. These incidents have ranged from simple targeting to reported breaches. Every one of these campaigns involved a Windows version of Derusbi.

While we’ve analyzed many common variants of Derusbi, this one got our attention because this is a 64-bit Linux variant of Derusbi, the only such sample we have observed in our datasets as well as in public repositories. To our knowledge, no analysis of such malware has been made publicly available.

Key Findings

  • Both the malware and kernel module demonstrate cloaking and anti-analysis techniques. While they mimic techniques observed in Windows tools used by APT in some respects, the use in the Linux environment has forced new and sometimes unique implementations.
  • This Derusbi sample shares command and control (C2) infrastructure with PlugX samples targeting Windows systems seen in public repositories. It is our understanding that these tools were used in conjunction in the campaign.
  • The Derusbi sample has command and control patterns that precisely match those observed with the Windows samples. This will allow for reuse of command and control platforms for intrusions involving both Windows and Linux samples.
  • We believe the binary was recompiled on the same day it was installed, with the kernel module rebuilt to precisely match the configuration on the target system. This suggests the active participation of developers with the team conducting the operation. This is distinct from the workflow associated with the more mature APT tools, where builders for tools like PlugX, Sakula and Derusbi are assumed to be available to multiple actor sets who are likely simply users of these tools.
  • The active participation of developers is further substantiated by the use of the Turbo Linux kernel module, which was clearly compiled for the precise Linux version running on the target system.


A number of anti-forensics techniques must be bypassed in order to determine the true capabilities of this sample. Two techniques used to hamper forensic analysis include the ability to run as a memory-resident memory module to prevent file-based detection of the Linux Kernel Module on the localhost and the ability to cleanly remove it from disk.

This 64-bit Linux variant of Derusbi shares many of the common capabilities provided by a typical remote access tool, including directory and file operations, command execution and remote access.  Additionally, obfuscation capabilities, such as timestomping and process hiding, make this sample even more interesting and difficult to analyze.

It is important to note that it would take significant effort to replicate the capabilities of the Windows version into the Linux version. This indicates an investment by the adversary to gain additional footholds within a victim’s infrastructure. By adding 64-bit Linux servers and clients to their target list it is evident that advanced threat actors continue to add to their capabilities. Enterprises worldwide have been investing in Windows-based detection and remediation platforms for many years now. Linux is widely used in the datacenter and for hosting critical applications and databases. The use of such malware instantly bypasses entire classes of commercial, Windows-only security products, thus opening up significant new exposures for enterprises.

To see the full report and findings, please visit Fidelis Threat Advisory #1021

View the IOCs, including the Yara rule, on GitHub.

View the Yara rule.

Updated on 3/8/2016 

Fidelis Threat Advisory #1020 Dissecting the Malware Involved in the INOCNATION Campaign

Wednesday, December 16, 2015
Last month, CrowdStrike published a blog on malware campaigns attributed to Sakula. We took a look at the malware specifically in the INOCNATION

Last month, CrowdStrike published a blog on malware campaigns attributed to Sakula. We took a look at the malware specifically in the INOCNATION campaign to analyze what was new and different about the techniques used by the threat actor. It appears the entity behind this campaign took steps to make reverse engineering more difficult and chose the use of Cisco’s AnyConnect Client as a lure to trick victims into installing the malware.

The RAT delivered by this campaign was not particularly interesting and had all the features you would expect in such a tool. The use of the obfuscation techniques was novel and this advisory discusses those in detail, along with how we detected them.

Key Findings:

  • Two passes with different XOR keys used to obfuscate components and strings in the malware
  • Trusted software used as a decoy for initial installation
  • A mangled MZ header used to deceive security products
  • String stacking obfuscation with Unicode strings
  • Multiple layers of obfuscation for command and control traffic
  • Built-in uninstall functionality.

MD5 Hashes used in this analysis:
Chart image

To see the full report and findings, visit Fidelis Threat Advisory #1020 here

Fidelis Cybersecurity’s products detect the activity documented in this paper and additional technical indicators are published in the appendices of this paper and to the Fidelis Cybersecurity github at

We want to thank our fellow security researchers at CrowdStrike for sharing hashes of the malware samples analyzed in this report.

Fidelis Cybersecurity Threat Research Team

A Stalker’s Best Friend: Inside JSocket’s Android Remote Access Tool Builder

Tuesday, November 3, 2015
by John Bambenek To see the full threat report and findings, visit Fidelis Threat Advisory #1019 Ratcheting Down on JSocket: A PC and Android Threat.

by John Bambenek  

To see the full threat report and findings, visit Fidelis Threat Advisory #1019 Ratcheting Down on JSocket: A PC and Android Threat. The report includes analysis of PC capabilities and an updated list of observed JSocket Command-and-Control nodes observed in the wild. Enterprises should monitor their networks for any communication to these nodes and take appropriate action. Additionally, we are including a list of observed hashes of this malware, and a list of IP address and hostnames observed as command-and-control systems. Please note, the IP addresses were seen in the configuration, they are not resolved IP addresses for the hostnames that are in the list.

The mysterious death of Argentina prosecutor, Alberto Nisman, remains unsolved as government officials cite suicide. Critics suggest he may have been murdered days after filing a report that President Cristina Fernandez conspired to cover up Iranian involvement around the 1994 bombing of a Jewish community center. RAT spyware, called AlienSpy, was found on Nisman’s mobile phone.

Recently, our friends at Recorded Future blogged about the popularity of Android Remote Access Tools (RAT) AndroRat and DroidJack that are being used by Iranian hackers. The appeal of RATs to mobile phones continues to grow, as they are readily available and effective. Attackers can remotely access a phone’s camera and microphone to monitor a victim. They can track mobile transactions. They can steal personal information. And they can gain access to corporate networks for launching broader attacks.

Tools like DroidJack make it easy for attackers – even those that do not have advanced technical skills – to compromise and control mobile devices. JSocket, another popular RAT, is also available with a rich blend of features and an easy-to-use interface that allows non-technical users to deploy it against victims.

In June 2015, JSocket emerged as a reincarnation of previous malware. It can remotely control Linux, Mac and Windows machines as well as Android devices. Its Android functionality executes attacks by taking existing mobile applications and embedding malicious code while victims continue to use their fully functional and otherwise legitimate applications on their phones. For example, attackers could infect JSocket malware into an Angry Birds game application. The end user would play the game normally even as the attacker gains complete access and control.

JSocket Android RAT features remote microphone and camera access, as well as a suite of tools to view and modify text messages and phone calls. It can use the phone’s built-in GPS to track the movements of a victim wherever they happen to be.














Use cases of JSocket vary widely. Recent well-publicized reports depict stalkers using such applications to track previous partners. Organized crime syndicates or nation states, motivated by national geopolitical interests (e.g. Iranian threat actors), can use the RAT to infiltrate organizations to steal financial data and information.

To protect against JSocket attacks, enterprise users and consumers should take the following precautions:

  • Do not “root” your phone. This removes some basic built-in protections that, if removed, allows JSocket greater access to the device.
  • Do not install applications outside of the Google Play store and ensure the security setting “Allow installation of non-Market applications” is set to off.
  • Examine what permissions a mobile application attempts to use upon installation. It is a common tactic for mobile malware to request all available permissions and this is a good indicator of a problematic application

Fidelis XPS™ and Resolution1 Endpoint users are protected against this threat by our advanced threat detection capabilities and we’ll continue to monitor this threat as it develops.