Misconfigured data science environments have been targeted by threat actors for sports stream ripping, according to cloud security firm Aqua Security.
Honeypots operated by the company showed that cybercriminals are targeting misconfigured JupyterLab and Jupyter Notebook applications, which are web-based development environments for notebooks, code, and data.
Aqua Security believes that Jupyter solutions are typically used for data science by individuals who may lack awareness of common misconfigurations that can leave servers vulnerable to hackers.
Shodan shows roughly 15,000 internet-exposed Jupyter servers and approximately 1% of them — including ones belonging to individuals and companies — allow remote code execution.
In the attacks observed by Aqua Security’s researchers, threat actors gained access to unprotected Jupyter servers. They updated the compromised server and then downloaded a tool called FFmpeg, which allows users to record, edit and stream audio and video.
The threat actor abused FFmpeg and the compromised server to capture live streams of sporting events and redirected the streams to their own servers.
Illegally broadcasting the streams on their own channels enables threat actors to make a profit through advertising revenue, while causing significant revenue loss for the legitimate broadcaster.
Assaf Morag, threat intelligence director of Aqua Security’s Aqua Nautilus Team, told SecurityWeek that the attack is similar to cryptojacking and DDoS attacks.
In this case, the hijacked Jupyter server is used as an intermediary between a legitimate streaming service and the attacker’s broadcast. The compromised server is abused for its resources and to help the attacker hide their identity.
“This straightforward attack is easy to overlook,” Morag explained in a blog post describing the attack. “While the immediate impact on organizations might appear minimal (though it significantly affects the entertainment industry), it could be dismissed as merely a nuisance.”
“However, it’s crucial to remember that the attackers gained access to a server intended for data analysis, which could have serious consequences for any organization’s operations. Potential risks include denial of service, data manipulation, data theft, corruption of AI and ML processes, lateral movement to more critical environments and, in the worst-case scenario, substantial financial and reputational damage,” he added.
Related: Stealthy ‘Perfctl’ Malware Infects Thousands of Linux Servers
Related: Researchers Find Python-Based Ransomware Targeting Jupyter Notebook Web Apps
Related: New ‘Hadooken’ Linux Malware Targets WebLogic Servers