Microsoft’s cybersecurity researchers recently discovered an attack that specifically targets Linux-based systems and Internet of Things (IoT) devices.
The attack utilizes a combination of custom and open-source tools to compromise the targeted devices. By taking advantage of vulnerabilities in the patched OpenSSH software made available on “free Linux Tools” websites such as freeware and open source tools libraries. The attackers gain control over the devices and proceed to install cryptomining malware on them.
To establish their control, the threat actors utilize a criminal infrastructure that utilizes a subdomain belonging to a financial institution in Southeast Asia as a command and control (C2) server. This allows them to deploy a backdoor on the compromised devices.
The backdoor employs various techniques, such as rootkits and an IRC bot, to exploit the resources of the devices for mining cryptocurrency. In addition to that, it carries out the following tasks:
Deploys a modified version of OpenSSH to maintain persistence on the compromised device.
Hijacks SSH credentials to gain unauthorized access to other systems.
Performs lateral movement within the network to expand its reach.
Conceals malicious connections to avoid detection.
Infected Linux Tools attack flow
The attack starts with the threat actors targeting internet-facing Linux devices that have downloaded one of the “free” infected tools or freeware software available to the public, the free tools software runs in the security context of the users that downloaded and installed the software.
Upon compromising a device, they take steps to cover their tracks by disabling shell history. Simultaneously, they fetch a compromised OpenSSH archive (openssh-8.0p1.tgz) from a remote server.
The attack involves deploying a backdoor shell script and a modified OpenSSH binary, which add two public keys for persistent SSH access. This allows the threat actors to gather information and install Reptile and Diamorphine LKM rootkits to conceal their malicious activities on the compromised systems.
The backdoor serves multiple purposes, including eliminating competing miners, adding iptables rules to control network traffic, and modifying the ‘/etc/hosts’ file to block competitor traffic.
Additionally, it identifies and terminates miner processes, blocks file access, and removes SSH access configured by the threat actors in the authorized keys file.
The attackers employ the ZiggyStarTux IRC bot, which is based on the Kaiten malware, and it possesses distributed denial-of-service (DDoS) capabilities for executing bash commands. To ensure persistence, the backdoor malware utilizes several techniques, including:
Replicating binaries in multiple disk locations.
Setting up cron jobs for regular execution.
Furthermore, the backdoor registers itself as a systemd service named ‘ZiggyStarTux’, with its service file located at ‘/etc/systemd/system/network-check.service’.
The bots are instructed to download and execute shell scripts with the intention of brute-forcing live hosts and vulnerable systems that have trojanized OpenSSH packages.
According to a Microsoft report, the attackers’ ultimate goal is to install mining malware specifically targeting Linux-based Hiveon OS systems. This malware is intended for cryptomining purposes, and the attackers execute lateral movement within the network to accomplish this objective.
How to mitigate this attack vector
Ensure that device configurations are set up securely to enhance protection; utilize an Azure firewall for traffic ingress and control or a Network Security Group to limit admin access to an IP address you know.
Azure NSG lockdown
Ensure that device configurations are set up securely to enhance protection; utilize an Azure firewall for traffic ingress and control or a Network Security Group to limit admin access to an IP address you know.
Regularly update your devices to maintain their health and security, run the update on the Linux machine itself by running one of the following:
Update is used to resynchronize the package index files from their sources on Ubuntu Linux via the Internet.
sudo apt-get update
Upgrade is used to install the newest versions of all packages currently installed on the Ubuntu system.
sudo apt-get upgrade
Install is followed by one or more packages desired for installation. If package is already installed it will try to update to latest version.
apt-get install package-name
Strengthen security measures by employing limited access privileges, you can enumerate users with administrative access with the following command
sudo cut -d: -f1 /etc/passwd | sort
This command uses sudo to run the command with administrative privileges. It reads the /etc/passwd file, which contains user account information, and then uses cut to extract the usernames (the first field, delimited by :). Finally, sort is used to sort the usernames in alphabetical order.
Keep OpenSSH up to date with the latest version for improved performance and enhanced security.
Official OpenSSH website:
Website: https://www.openssh.com/
You can navigate to the Downloads section of the website to find the latest releases of OpenSSH for various operating systems
-OR- use the official package repository:
For Debian/Ubuntu-based distributions, you can use the apt package manager:
sudo apt update sudo apt install openssh-server
For Red Hat-based distributions (CentOS, Fedora, RHEL), you can use the dnf or yum package manager:
sudo dnf install openssh-server # or sudo yum install openssh-server
Implement a comprehensive and robust security solution for your IoT devices with a centralized administrative access management layer.
Utilize security solutions that provide detection capabilities and enable monitoring across multiple domains, for example Microsoft Sentinel with a Linux monitoring collection and connector.
