A major discovery has unveiled a long-standing compromise of the infrastructure supporting the Linux operating system kernel. Advanced malware infiltrated this critical system, starting as far back as 2009 and being discovered in 2011. At least four servers within kernel.org, the heart of Linux development and distribution, fell victim to this sophisticated attack.

2011 Kernel.org Compromise:

• Sophisticated malware infected at least four servers, gaining access to crucial files like /etc/shadow.
• This led to the compromise of 551 user accounts, with half of them having their passwords exposed.
• The compromised servers were then used for spam and other illicit activities.

Phalanx and Ebury Malware:

• Ebury’s impact reached a large US-based domain registrar and web hosting provider, affecting infrastructure with over 1.5 million accounts.
• By 2023, 110,000 servers were compromised, with one hosting provider seeing 70,000 infected servers.

Revenue Generation from Compromised Servers:

• Attackers exploited compromised servers for various illicit activities including theft of payment card information and cryptocurrency.
• They added malicious Apache and kernel modules and scripts to further their operations.

Mitigation Strategies:

• It’s recommended to use multi-factor authentication (MFA) for SSH servers to combat such threats.
• However, MFA deployment is not widespread, and continuous monitoring is crucial due to the evolving nature of the malware.

This discovery highlights the critical need for robust cybersecurity measures to protect essential infrastructure.