Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

400,000 Linux Servers Hit by Ebury Botnet 

The Ebury Linux botnet has ensnared over 400,000 Linux systems in 15 years, with roughly 100,000 still infected.

The Ebury Linux botnet’s expansion has continued uninterrupted over the past decade, with approximately 100,000 infected systems identified at the end of 2023, ESET reports.

Initially uncovered in 2014, when it was a 25,000 systems-strong botnet, the Ebury botnet survived a takedown attempt and the sentencing of Maxim Senakh for his involvement in the operation.

An OpenSSH backdoor and credential stealer, Ebury has received constant updates and is estimated to have infected over 400,000 hosts since 2009, abusing them for financial gain, a new ESET report (PDF) shows.

“There is a constant churn of new servers being compromised while others are being cleaned up or decommissioned,” ESET notes, explaining that the botnet peaked at 110,000 ensnared systems in 2023, after compromising a large hosting provider and infecting roughly 70,000 servers.

In fact, many of the infected systems are servers pertaining to hosting providers, which has allowed the attackers to intercept the SSH traffic of interesting targets and redirect it to an attacker-controlled server to capture login credentials.

“Almost all compromised systems are servers, not end user devices. Servers help run the internet by hosting web pages, acting as authoritative name servers, performing financial transactions, etc,” ESET points out.

Additionally, the malware operators were seen targeting Tor exit nodes along with Bitcoin and Ethereum nodes to steal cryptocurrency wallets hosted on them, as well as eavesdropping on network traffic to steal credit card data.

According to ESET, the botnet’s operators are highly active, using zero-days in administrator software for bulk server compromise, targeting the infrastructure of other threat actors to steal data exfiltrated from their victims, and using new malware to perform web traffic redirection.

Advertisement. Scroll to continue reading.

Ebury is being deployed on the compromised systems with root privileges, using techniques such as credential stuffing to compromise hosts, access to hypervisors to infect all the subsystems, compromised hosting providers to infect all rented servers, and SSH adversary-in-the-middle (AitM).

The malware’s operators were also seen exploiting zero-day bugs, such as CVE-2021-45467, an unauthenticated file inclusion issue in the Control Web Panel (CWP) web hosting panel, and CVE-2016-5195 (Dirty COW), a race condition in Linux kernel leading to privilege escalation.

Between 2009 and 2011, Ebury was installed on at least four servers belonging to the Linux Foundation, providing its operators with access to files containing hundreds of login credentials.

Furthermore, the botnet’s operators used a Perl script to detect other OpenSSH credential stealers and collect information from them. They also compromised the infrastructure used by other stealers, such as servers used by Vidar Stealer and a Mirai botnet author’s system.

For persistence, the malware hijacks a library to be executed when an OpenSSH client or server is launched or replaces the original OpenSSH binaries with backdoored versions. To hide its presence, Ebury compromises all SSH sessions.

Ebury stores state information, configuration, and harvested credentials in memory, and recent versions were seen injecting FrizzySteal in libcurl to exfiltrate HTTP POST requests made by applications using the library, and being injected in shells spawned when connected via a compromised OpenSSH server.

After compromising a server, the botnet’s operators connect to it periodically to exfiltrate harvested credentials. They were also seen using scripts to automate functions such as harvesting new SSH private keys and a list of running services.

The cybercriminals were also seen deploying malware such as HelimodSteal and HelimodRedirect to steal HTTP requests or redirect them.

Recent Ebury activity has shown a shift in monetization tactics, including cryptocurrency and credit card data theft, spam sending, and credential theft. For that, the operators have been using specific Apache modules, a kernel module, tools to hide traffic through the firewall, and scripts to mount AitM attacks.

According to ESET, the Ebury operators have mounted AitM attacks against at least 200 targets across 75 autonomous systems (AS) in 34 countries, including reachable Bitcoin and Ethereum nodes.

Related: Botnet Disrupted by FBI Still Used by Russian Spies, Cybercriminals

Related: Researchers Discover 40,000-Strong EOL Router, IoT Botnet

Related: US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights