A recent analysis has revealed how cybercriminals are taking advantage of misconfigured Apache Hadoop YARN. It is a cluster management technology and part of the Hadoop framework used for executing tasks. The report includes details about payload delivery, attack tactics, and basic security advice.

What happened?

Cybercriminals have been observed deploying crypto-malware such as Kinsing and Coinminer in the YARN service. According to researchers, abusing the Apache Hadoop YARN framework is a big significant security risk. Hackers gather credentials and sensitive information, allowing them to infiltrate as many systems as possible to increase their success rate.

Exploitation tools and techniques

Attackers taking advantage of misconfigured cloud services are employing multiple tactics. 
  • Attackers send commands to the vulnerable service via an HTTP POST request, following which YARN creates a launch script with the attackers’ commands.
  • Once the Hadoop container script is executed, it downloads a remote script that deploys Kinsing malware and a Go-compiled binary with propagation feature. An additional payload includes the Mirai botnet (mostly observed in IoT environments).
  • They are using port scanning tools (masscan) to spot any vulnerable services.


Within the report, experts highlight that disabling the targeted system’s protection offered by cloud services has become one of the attackers’ primary goals. By targeting Hadoop like cloud services, attackers could benefit immensely in a nick of time. Cloud security is not entirely the job of your cloud service provider and shouldn’t be taken for granted. Additionally, organizations engaging with third parties ought to have their own security layers in place for better protection.

Cyware Publisher