Security researchers have uncovered a surprising new attack methodology for illegal sports streaming, which uses hijacked Jupyter servers.
Aqua Security threat hunters used information gathered from the vendor’s honeypots to discover the campaign. They found “several dozen events” where legitimate open source tool “ffmpeg” was being dropped and executed on its Jupyter Lab and Jupyter Notebook honeypots.
“JupyterLab and Jupyter Notebook are two powerful interactive environments for data science. Many organizations utilize these tools for their everyday data operations, but there are some potential risks, if not properly secured,” Aqua’s director of threat intelligence, Assaf Morag, said in a blog post.
“They’re often managed by data practitioners who may lack awareness of common misconfigurations, including connecting the server to the internet with open access without authentication, which allows unauthorized users to run code.”
That’s exactly what the threat actors were attempting with Aqua’s Jupyter honeypots, exploiting unauthenticated access to gain a foothold in the environment and achieve remote code execution (RCE).
“First, the attacker updated the server, then downloaded the tool ffmpeg. Next, the attacker executed ffmpeg to capture live streams of sports events and redirected them to their server,” Morag explained.
The actors would then be able to illegally stream this third-party content via their own server.
“After analyzing the sources of live streaming the threat actors tried capturing via our server, we concluded that threat actors targeted live streaming broadcasts of the Qatari beIN Sports network,” Morag continued.
“The IP address they used was from Algerian AS (41.200.191.23), indicating that they might be of Arab speaking origin as well.”
Read more on digital piracy: Use of Illegal Stream-Ripping Services Increases by 1390%
Stream ripping, the process of obtaining a permanent copy of live-streamed content, is a popular form of digital piracy. However, there’s also a significant risk to the owner/operator of the misconfigured server, Morag claimed.
“It’s crucial to remember that the attackers gained access to a server intended for data analysis, which could have serious consequences for any organization’s operations,” he argued.
“Potential risks include denial of service, data manipulation, data theft, corruption of AI and ML processes, lateral movement to more critical environments and, in the worst-case scenario, substantial financial and reputational damage.”