400K Linux Servers Recruited by Resurrected Ebury Botnet

  /     /     /  
Publicated : 23/11/2024   Category : security


400K Linux Servers Recruited by Resurrected Ebury Botnet


Cryptocurrency theft and financial fraud are the new M.O. of the 15-year-old malware operation that has hit organizations around the globe.



A Linux-based botnet is alive and well, powering cryptocurrency theft and financial scams years after the imprisonment of one the key perpetrators behind it.
The Ebury botnet — which was first discovered 15 years ago — has backdoored nearly 400,000 Linux, FreeBSD, and OpenBSD servers. More than 100,000 servers were still compromised as of late 2023, according to new research from cybersecurity vendor ESET.
Victims include universities, small and large enterprises, Internet service providers, cryptocurrency traders, Tor exit nodes, and many hosting providers worldwide.
Ebury is an OpenSSH backdoor that used to steal credentials like SSH keys and passwords. It creates a backdoor on the infected server that facilitates the deployment of secondary malware modules such as Cdorked, an HTTP backdoor used to redirect Web traffic and modify DNS settings, and Calfbot, a Perl script used to send spam emails.
Over the years, Ebury has served as a platform for spam distribution, Web traffic redirections, and credential-stealing, among other scams. Most recently, the gang running the botnet has pivoted to credit card and cryptocurrency theft, researchers found.
The attackers use adversary-in-the-middle tactics to intercept the SSH traffic of interesting targets — including Bitcoin and Ethereum nodes — within data centers, and then redirecting traffic to a server under their control. Once a would-be victim types their password into a cryptocurrency wallet hosted on the compromised server, Ebury automatically steals those wallets, according to ESET, which this week released
updated research
and a
white paper on the Ebury botnet
.
They also appear to be making attempts to muscle out potential credit card theft competitors. Case in point: Ebury malware attempts to detect and remove the BigBadWolf banking Trojan from compromised systems.
Eburys operators employ zero-day vulnerabilities in the server administrator software to hack servers at scale and extract credentials from the victim servers, the researchers found. The attackers also use known passwords and keys to hack into related systems, which allow them to surreptitiously install Ebury on multiple servers rented from any compromised hosting providers.
At one hosting provider, a total of 70,000 servers were compromised by Ebury in 2023, the researchers said.
Whenever a hosting provider was compromised, it led to a vast number of compromised servers in the same data centers, wrote ESET researcher Marc-Etienne M. Léveillé, who has been investigating Ebury for more than a decade.
In perhaps one of Eburys most infamous campaigns, from 2009 to 2011, it successfully hacked Kernel.org, which hosts the source code of the Linux kernel. Half of its Kernel.orgs developer SSH passwords were stolen during that period.
In 2014, ESET revealed that it had teamed up with Dutch police in an investigation of servers in the Netherlands suspected of being compromised with Ebury malware. Then in 2015, one of the Ebury perpetrators, Russian citizen Maxim Senak, was arrested at the Finland-Russia border and extradited to the US.
He eventually pled guilty to fraud
and computer hacking charges in 2017 and was sentenced to 46 months in prison.  
Since then, Eburys remaining masterminds have kept a low profile. They dont advertise their activities and weve never seen them attempting to sell access to compromised systems on Dark Net forums, ESETs Léveillé wrote in his post.
The Dutch National High Tech Crime Unit (NHTCU) in 2021 contacted ESET after finding Ebury on the server of a victim of cryptocurrency theft. That law enforcement investigation into Ebury remains ongoing.
Ebury malware operators regularly add new features. The latest version 1.8.2, spotted earlier this year, bundles new obfuscation techniques, a new domain-generation algorithm, and a stealthier rootkit functionality.
ESET this week released a set of detection and remediation tools to help system administrators determine whether their systems are compromised by Ebury.
Clean-up operations are non-trivial for an Ebury infection, ESET warns. Robert Lipovsky, principal threat intelligence researcher at ESET, told Dark Reading that even if system admins sanitize their infected servers, the cybercriminals behind Ebury might be able to reinstall the malware if compromised credentials get reused.
While there are tools available for adding multi-factor authentication to SSH servers, deployment is not simple, so systems admins often skip that extra level of security. The continuing problems posed by Ebury illustrate the lack of visibility on Linux-based server-side threats, ESETs Léveillé told Dark Reading.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
400K Linux Servers Recruited by Resurrected Ebury Botnet