A major discovery has unveiled a long-standing compromise of the infrastructure supporting the Linux operating system kernel. Advanced malware infiltrated this critical system, starting as far back as 2009 and being discovered in 2011. At least four servers within kernel.org, the heart of Linux development and distribution, fell victim to this sophisticated attack.
2011 Kernel.org Compromise:
- Sophisticated malware infected at least four servers, gaining access to crucial files like /etc/shadow.
- This led to the compromise of 551 user accounts, with half of them having their passwords exposed.
- The compromised servers were then used for spam and other illicit activities.
Phalanx and Ebury Malware:
Dubbed Phalanx, the malware installed a rootkit on servers and devices, compromising 448 accounts.
- Additionally, Ebury malware infected kernel.org servers, creating backdoors in OpenSSH.
- Over 22 months, Ebury infected 25,000 servers, including those in hosting facilities and a domain registrar.
- The infection on kernel.org actually began in 2009, affecting at least four Linux Foundation servers by 2011.
- In total, Ebury compromised over 400,000 Linux servers over 15 years.
Propagation Methods of Ebury:
- Ebury utilized various methods like credential stuffing and exploiting vulnerabilities to spread.
- It targeted universities, enterprises, ISPs, cryptocurrency exchanges, and more.
Infections at Scale:
- Ebury’s impact reached a large US-based domain registrar and web hosting provider, affecting infrastructure with over 1.5 million accounts.
- By 2023, 110,000 servers were compromised, with one hosting provider seeing 70,000 infected servers.
Revenue Generation from Compromised Servers:
- Attackers exploited compromised servers for various illicit activities including theft of payment card information and cryptocurrency.
- They added malicious Apache and kernel modules and scripts to further their operations.
Mitigation Strategies:
- It’s recommended to use multi-factor authentication (MFA) for SSH servers to combat such threats.
- However, MFA deployment is not widespread, and continuous monitoring is crucial due to the evolving nature of the malware.
This discovery highlights the critical need for robust cybersecurity measures to protect essential infrastructure.
0 Comments