Satoshi Nakamoto Blog
Image default
cyberattacks cybersecurity data breach Encryption Exploit Freedom Hacked Hackers Hacking information technology linux Malware Vulnerabilities

Linux Servers Endangered by A New Crypto-Mining Malware


Posted on
February 6, 2019 at
10:31 AM

According to the new report published by Check Point security researchers, a new malware campaign seems to be targeting Linux servers in numerous South American and Asian countries. The paper, published on Monday, calls the campaign ‘SpeakUp,’ in reference to one of the command and control names. So far, the threat has used vulnerabilities to infiltrate at least six Linux distributers, although the researchers say that it also endangers macOS.

As it is often the case with new threats, the malware managed to avoid being detected by anti-virus software. Instead, it installs a backdoor which can later be used for further access. Researchers estimate that the SpeakUp campaign managed to affect over 70,000 servers around the world.

Until now, al that those behind the hack used the hacked servers for is to deploy cryptocurrency mining software. The hackers’ focus seems to be on Monero (XMR), which is usually the coin hackers decide to go after in similar campaigns. Researchers managed to trace the wallet that has received mined coins, and they discovered that hackers already managed to mine 107 XMR. The amount is equal to around $4,600.

Check Point’s attempts to determine who is behind the attacks have not been successful so far, although the researchers believe that a group of Russian hackers called Zettabit might be behind the campaign. There is no solid proof to support the theory yet, and SpeakUp is implemented in a different way than the group’s previous malware. However, there are also multiple similarities that point the way towards Zettabit.

What does SpeakUp do?

As mentioned, hackers use a recently patched flaw in the ThinkPHP framework to gain access to unprotected servers. After that, they plant SpeakUp, a backdoor trojan, which is currently using the hacked servers for crypto mining. At the same time, it uses a built-in Python script to continue spreading and infect the networks via brute force attacks.

It can also scan external and internal networks and find new vulnerabilities to exploit, it can run shell commands, download new files from C&C server, update itself, or even uninstall itself if necessary for some reason.

While operational, SpeakUp will contact the C&C server every three seconds and request new orders. Researchers claim that it is also capable of running three commands — notask, newtask, or newerconfig.

More dangerous than it seems

While managing to breach 70,000 servers is no small task, the threat has done little apart from spreading further and mining a little over 100 digital coins. However, its infection methods, obfuscated payloads, propagation techniques and alike also make it far more dangerous hackers decide to change the malware’s purpose.

Check Point warns that the malware payload might be switched to a more damaging code with relative ease. It is not yet clear what the change might include or how the malware would start behaving, but researchers agree that the careful preparations that were done so far are the work of a much bigger threat that has yet to arrive. The effort put into the campaign is far too great to only use SpeakUp for crypto mining, while the ability to deploy additional payloads remain.

Meanwhile, while ThinkPHP is used in countries such as China or Brazil, it is also used in the US. However, there were no cases of this malware infecting US-based servers as of yet, although the researchers believe it might only be a matter of time before it does happen.

Summary

Article Name

Linux Servers Endangered by A New Crypto-Mining Malware

Description

According to the new report published by Check Point security researchers, a new malware campaign seems to be targeting Linux servers in numerous South American and Asian countries. The paper, published on Monday, calls the campaign ‘SpeakUp,’ in reference to one of the command and control names.

Author


Ali Raza

Publisher Name


Koddos

Publisher Logo





Source link

Related posts

Patched WinRAR Bug Still Under Active Attack—Thanks to No Auto-Updates

satoshi

Feedzai fighting financial crime with Risk Ledger – FinTech Futures

satoshi

New Android adware in Google Play Store downloaded 150M times

satoshi

A Quick Guide for Raspberry Pi Users

satoshi

A Privacy-Focused Bitcoin Cash P2P Exchange Is Coming to Bitcoin.com

satoshi

Pentagon Cyber Breach Exposes Personal Info of DOD Staffers

satoshi