Attackers are hijacking Jupyter notebooks to host illegal Champions League streams
Amid threats of state-backed APTs turning the geopolitical tide by diving into sensitive networks, some hackers are looking to use misconfigured Jupyter notebook servers to watch UEFA Champions League soccer, according to a new report from Aqua Security.
Researchers at the cloud security company said in a report released Tuesday that hackers were drawn to the misconfigured JupyterLab honeypots not because of possible proprietary data or other sensitive information, but to deploy a popular open-source video software and broadcast a match between the Ukrainian FC Shakhtar Donetsk and the Swiss BSC Young Boys on the Qatari beIN Sports network.
“We saw tennis, saw a UEFA championship game, and we saw some basketball,” said Assaf Morag, threat intelligence director at Aqua Security’s Nautilus research team.
While the motivation is financial, the rare use of misconfigured statistical software also highlights a new vector of attack and possible data- leak source, Morag said.
JupyterLab is a well-known interactive coding environment that is mainly used for data analysis and other scientific or educational uses. Jupyter Notebooks are also seen as an easy way to introduce programming concepts and scientific-friendly languages like Python and R.
Nautilus researchers discovered the scheme while threat-hunting on inbound network traffic, discovering unusual activity on honeypot servers. The activity was due to streamers taking advantage of unpatched bugs and weak passwords to gain unauthorized access to the Jupyter notebooks, then deploying a shell to download FFmpeg, an open-source software suite used for handling video, audio, and other multimedia files and streams.
Using computer resources for illegal sports streams may not be a critical threat for most organizations , but the information on the notebooks themselves could be sensitive, Morag warned. After a cursory search on the internet-connected device search engine Shodan,, Aqua researchers found around 150 Jupyter servers that allow for remote code execution similar to the soccer-viewing scheme .
“Nautilus’ analysis shows some private personal Jupyter notebooks, as well as corporate and startup whose servers are exposed to anyone, actively exploited,” the report noted.
Morag said the entertainment industry is affected most by unlicensed sports streaming. In this case, hackers were directing the video output to ustream.tv, a video-streaming platform that pays through ad revenue.
“To qualify for these earnings, creators often need to meet minimum requirements for followers or view counts,” the report said. “Unfortunately, threat actors exploit similar methods by stream-ripping sports event feeds and illegally broadcasting them on their own channels to profit from unauthorized views and ad revenue.”
Last week, a federal jury convicted a Cuban citizen and U.S. resident for operating the streaming service Jetflicks, which the Department of Justice said contained “one of the largest quantities of infringing works.”
Jetflicks was based in Las Vegas and claimed to have 183,285 television episodes, the DOJ said. The number of offered episodes far outstripped the costly-but-licensed streaming services. The report noted that illegal live-streaming events cut into revenue streams for licensed streamers.
Morag said that organizations that wish to avoid illegal streaming or any other intrusions should run the stack with restricted IPs, strong authentication, HTTPs, and secure token management.