Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

ShellShock Exploits Used in Expansion of ‘Mayhem’ Linux Botnet

Cybercriminals are expanding the Linux botnet dubbed “Mayhem” by leveraging the recently discovered vulnerabilities in the GNU Bash shell, according to researchers.

Cybercriminals are expanding the Linux botnet dubbed “Mayhem” by leveraging the recently discovered vulnerabilities in the GNU Bash shell, according to researchers.

The Mayhem malware, a multipurpose threat targeting Linux and UNIX Web servers, was first analyzed in May by the Malware Must Die research group. In July, researchers at the Russian Internet company Yandex published a detailed paper on the botnet. Based on data from two command and control (C&C) servers, the experts identified roughly 1,400 compromised machines.

Malware Must Die has been monitoring the botnet and found that cybercriminals are currently attempting to expand it with the aid of ShellShock, the set of Bash flaws that can be leveraged to execute arbitrary code on affected servers.

According to researchers, the attackers first scan servers to see if they are vulnerable to ShellShock. When a vulnerable device is found, the Bash bug is exploited to download a malware installer written in Perl. In the past, this installer was a PHP script, Malware Must Die pointed out.

Once the threat is installed on a system, it creates a hidden file system where it stores its components, including the plugins it uses to carry out tasks such as brute-force attacks and data theft.

As of October 11, Malware Must Die had identified a total of 53 IP addresses involved in such attacks, with 25 of them located in the United States. The attacks have been traced back to a total of 23 countries.

“These attacker IPs are the combination between (known) Mayhem bots we monitor and unknown sources (including the suspected possibility of new panels/CNC/bots),” Malware Must Die wrote in a blog post.

“Many of today’s enterprises have adopted public cloud-based services that run on systems that can be infected by Mayhem, but the enterprise has no visibility into whether servers have been patched, no ability to dictate patch schedules, and no visibility into whether exploits of Mayhem have resulted in theft of their data or user credentials,” Rich Campagna, VP of products at Bitglass, told SecurityWeek. “The operational benefits of moving to the public cloud are not without tradeoffs for the enterprise, specifically loss of security and visibility. Enterprises must keep in mind that outsourcing an application to the cloud does not mean that they have outsourced responsibility for protection of their data.”

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...