The Ebury botnet - which was first discovered 15 years ago - has backdoored nearly 400,000 Linux, FreeBSD, and OpenBSD servers.
More than 100,000 servers were still compromised as of late 2023, according to new research from cybersecurity vendor ESET. Victims include universities, small and large enterprises, Internet service providers, cryptocurrency traders, Tor exit nodes, and many hosting providers worldwide.
Anatomy of a Threat Ebury is an OpenSSH backdoor that's used to steal credentials like SSH keys and passwords.
Over the years, Ebury has served as a platform for spam distribution, Web traffic redirections, and credential-stealing, among other scams.
Once a would-be victim types their password into a cryptocurrency wallet hosted on the compromised server, Ebury automatically steals those wallets, according to ESET, which this week released updated research and a white paper on the Ebury botnet.
Case in point: Ebury malware attempts to detect and remove the BigBadWolf banking Trojan from compromised systems.
Ebury's operators employ zero-day vulnerabilities in the server administrator software to hack servers at scale and extract credentials from the victim servers, the researchers found.
The attackers also use known passwords and keys to hack into related systems, which allow them to surreptitiously install Ebury on multiple servers rented from any compromised hosting providers.
At one hosting provider, total of 70,000 servers were compromised by Ebury in 2023, the researchers said.
In perhaps one of Ebury's most infamous campaigns, from 2009 to 20011 it successfully hacked Kernel.org, which hosts the source code of the Linux kernel.
Cops and Robbers In 2014, ESET revealed that it had teamed up with Dutch police in an investigation of servers in the Netherlands suspected of being compromised with Ebury malware.
One of the Ebury perpetrators, Russian citizen Maxim Senak, was arrested at the Finland-Russia border and extradited to the US. He eventually pled guilty to fraud and computer hacking charges in 2017 and was sentenced to 46 months in prison.
Ebury's remaining masterminds have kept a low profile.
The Dutch National High Tech Crime Unit in 2021 contacted ESET after finding Ebury on the server of a victim of cryptocurrency theft.
That law enforcement investigation into Ebury remains ongoing.
Keeping Linux Safe from Ebury Ebury malware operators regularly add new features.
ESET this week released a set of detection and remediation tools to help system administrators determine whether their systems are compromised by Ebury.
Clean-up operations are non-trivial for an Ebury infection, ESET warns.
Robert Lipovsky, principal threat intelligence researcher at ESET, told Dark Reading that even if system admins sanitize their infected servers, the cybercriminals behind Ebury might be able to reinstall the malware if compromised credentials get reused.
While there are tools available for adding multi-factor authentication to SSH servers, deployment is not simple, so systems admins often skip that extra level of security.
This Cyber News was published on www.darkreading.com. Publication date: Sat, 18 May 2024 08:05:25 +0000