Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

ShellShock Exploits Used in Expansion of ‘Mayhem’ Linux Botnet

Cybercriminals are expanding the Linux botnet dubbed “Mayhem” by leveraging the recently discovered vulnerabilities in the GNU Bash shell, according to researchers.

Cybercriminals are expanding the Linux botnet dubbed “Mayhem” by leveraging the recently discovered vulnerabilities in the GNU Bash shell, according to researchers.

The Mayhem malware, a multipurpose threat targeting Linux and UNIX Web servers, was first analyzed in May by the Malware Must Die research group. In July, researchers at the Russian Internet company Yandex published a detailed paper on the botnet. Based on data from two command and control (C&C) servers, the experts identified roughly 1,400 compromised machines.

Malware Must Die has been monitoring the botnet and found that cybercriminals are currently attempting to expand it with the aid of ShellShock, the set of Bash flaws that can be leveraged to execute arbitrary code on affected servers.

According to researchers, the attackers first scan servers to see if they are vulnerable to ShellShock. When a vulnerable device is found, the Bash bug is exploited to download a malware installer written in Perl. In the past, this installer was a PHP script, Malware Must Die pointed out.

Once the threat is installed on a system, it creates a hidden file system where it stores its components, including the plugins it uses to carry out tasks such as brute-force attacks and data theft.

As of October 11, Malware Must Die had identified a total of 53 IP addresses involved in such attacks, with 25 of them located in the United States. The attacks have been traced back to a total of 23 countries.

“These attacker IPs are the combination between (known) Mayhem bots we monitor and unknown sources (including the suspected possibility of new panels/CNC/bots),” Malware Must Die wrote in a blog post.

“Many of today’s enterprises have adopted public cloud-based services that run on systems that can be infected by Mayhem, but the enterprise has no visibility into whether servers have been patched, no ability to dictate patch schedules, and no visibility into whether exploits of Mayhem have resulted in theft of their data or user credentials,” Rich Campagna, VP of products at Bitglass, told SecurityWeek. “The operational benefits of moving to the public cloud are not without tradeoffs for the enterprise, specifically loss of security and visibility. Enterprises must keep in mind that outsourcing an application to the cloud does not mean that they have outsourced responsibility for protection of their data.”

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.