Father
Professional
- Messages
- 2,602
- Reaction score
- 831
- Points
- 113
When will specialists finally be able to eliminate this elusive server monster?
According to a recent report from ESET, the Ebury botnet has infected nearly 400,000 Linux servers since 2009. At the end of 2023, about 100,000 servers were still under threat.
ESET researchers have been monitoring Ebury's activities for more than a decade. They recorded significant malware updates in 2014 and 2017. A recent operation by Dutch law enforcement agencies has provided new data on the activities of a" long-running " botnet.
"Although 400,000 is a huge number, it is important to understand that this is the total number of infections in almost 15 years. Not all machines were infected at the same time, " ESET explains. "There are constantly new servers that get infected while others are being cleaned up or decommissioned."
Ebury's latest attacks aim to hack hosting providers and conduct supply chain attacks that affect customers who rent virtual servers.
The initial hacking is done through attacks using stolen credentials, and once compromised, the malware steals SSH connection lists and authentication keys to gain access to other systems.
"If the known_hosts file contains hashed information, attackers are trying to crack its contents," ESET experts warn. "Of the 4.8 million records collected by Ebury operators, about two million had hashed hostnames. 40% of them were hacked."
Attacks can also exploit known vulnerabilities in server software to increase their privileges. In addition, the infrastructure of hosting providers is effectively used by attackers to distribute Ebury across containers or virtual environments.
In the next step, malware operators intercept SSH traffic on target servers using ARP spoofing. When a user logs in to an infected server via SSH, Ebury records their credentials.
If the servers contain cryptocurrency wallets, Ebury uses the stolen credentials to automatically empty those wallets. In 2023, at least 200 servers were attacked in this way, including Bitcoin and Ethereum nodes.
Moreover, the attackers manage to use monetization strategies in their botnet, including stealing credit card data, redirecting web traffic to generate revenue from advertising and affiliate programs, sending spam and selling stolen credentials.
At the end of 2023, ESET discovered new obfuscation methods and a domain generation system that allow the botnet to avoid detection and improve its resistance to blocking. In addition, recent observations have shown the use of the following malicious modules in the activities of the Ebury botnet:
ESET's investigation was conducted in collaboration with the Dutch National Cybercrime Unit (NHTCU), which confiscated a backup server used by cybercriminals.
Dutch authorities report that Ebury operators use fake or stolen identities, sometimes posing as other cybercriminals, to confuse the investigation. The investigation is ongoing, but no specific charges have been filed so far.
According to a recent report from ESET, the Ebury botnet has infected nearly 400,000 Linux servers since 2009. At the end of 2023, about 100,000 servers were still under threat.
ESET researchers have been monitoring Ebury's activities for more than a decade. They recorded significant malware updates in 2014 and 2017. A recent operation by Dutch law enforcement agencies has provided new data on the activities of a" long-running " botnet.
"Although 400,000 is a huge number, it is important to understand that this is the total number of infections in almost 15 years. Not all machines were infected at the same time, " ESET explains. "There are constantly new servers that get infected while others are being cleaned up or decommissioned."
Ebury's latest attacks aim to hack hosting providers and conduct supply chain attacks that affect customers who rent virtual servers.
The initial hacking is done through attacks using stolen credentials, and once compromised, the malware steals SSH connection lists and authentication keys to gain access to other systems.
"If the known_hosts file contains hashed information, attackers are trying to crack its contents," ESET experts warn. "Of the 4.8 million records collected by Ebury operators, about two million had hashed hostnames. 40% of them were hacked."
Attacks can also exploit known vulnerabilities in server software to increase their privileges. In addition, the infrastructure of hosting providers is effectively used by attackers to distribute Ebury across containers or virtual environments.
In the next step, malware operators intercept SSH traffic on target servers using ARP spoofing. When a user logs in to an infected server via SSH, Ebury records their credentials.
If the servers contain cryptocurrency wallets, Ebury uses the stolen credentials to automatically empty those wallets. In 2023, at least 200 servers were attacked in this way, including Bitcoin and Ethereum nodes.
Moreover, the attackers manage to use monetization strategies in their botnet, including stealing credit card data, redirecting web traffic to generate revenue from advertising and affiliate programs, sending spam and selling stolen credentials.
At the end of 2023, ESET discovered new obfuscation methods and a domain generation system that allow the botnet to avoid detection and improve its resistance to blocking. In addition, recent observations have shown the use of the following malicious modules in the activities of the Ebury botnet:
- HelimodProxy: a proxy server for sending spam;
- HelimodRedirect: redirecting HTTP traffic to malicious sites;
- HelimodSteal: Stealing data from HTTP POST requests;
- KernelRedirect: modifying HTTP traffic at the kernel level;
- FrizzySteal: interception and theft of data from HTTP requests.
ESET's investigation was conducted in collaboration with the Dutch National Cybercrime Unit (NHTCU), which confiscated a backup server used by cybercriminals.
Dutch authorities report that Ebury operators use fake or stolen identities, sometimes posing as other cybercriminals, to confuse the investigation. The investigation is ongoing, but no specific charges have been filed so far.
