Security Week 17: Implications of Linux Server Attack

An interesting study about attacks on Unix-like systems was published last week. It describes how to create a hanipot from a Docker container ( news , Akamai's original article ). Docker was not required to be used, because the behavior of the "bot drivers" from the report was no different from the attack on any other Linux-system accessible from the network with a default password. But when working with Docker, the likelihood of operator error increases - when a container accessible from the network with default settings accidentally rises.

Accordingly, the “hacking” in this experiment is very simple: the image was raised with an easily guessed password for the root account, or rather, several typical login-password pairs such as root: root or oracle: oracle were investigated. Of interest are the further actions of the attackers. For a number of successful logins, the scenario was the same: the hacked system was used as a proxy server, and not even for criminal cases - traffic from Netflix, Twitch, and the like services was noticed, obviously, to circumvent regional restrictions. But there have been successful attempts to connect the system to the botnet.

Expectedly, the server was attacked by various incarnations of the Mirai botnet, which, after publishing the original source code on the network, were numerous. In one case, the attackers installed a cryptocurrency miner on the server, at the same time providing the possibility of re-entry: the root password was changed to empty and the ssh key was added. The miner itself is registered in the cron scheduler to start after a reboot, and in the list of processes it pretends to be a dhcp client.

Finally, an attempt was made to turn an insecure container into a mail server. It was used to support fraudulent transactions, in this case, to spread the fake "work on the Internet." Fraudsters offered victims to buy expensive goods in electronics stores, send them to the specified addresses, and then wait for “compensation and rewards”. Naturally, there were no payments, and purchases through other participants in the operation (often unaware of this) were sold by hand. The mail server was used both for spamming and for automated communication with those who succumbed to promises of quick money. A good argument for protecting your own server infrastructure: a hacked server can not only lead to personal losses for you, but will also be used to deceive other people.

What else happened:

The Palo Alto Networks study examines malicious code used in attacks on Citrix Gateway servers and a number of other corporate solutions in which a serious vulnerability was discovered at the end of last year . The malware takes control of systems based on the FreeBSD OS and is used for espionage.

An interesting study of a botnet that pretends to be smart TV has been published . The purpose of fraud is to trick advertisers. The bot farm closed the screenings of advertising videos that would normally be delivered to applications on TVs of real users.

Threatpost provides examples“Double extortion” in attacks using trojan cryptographers. Cybercriminals not only demand money for decrypting the data, but later threaten to publish the stolen information if an additional ransom is not paid. The prevalence of such attacks suggests that the ransom is not worth paying in any case.

In the Chrome browser extension store , fake cryptocurrency add-ons were discovered and removed . A set of extensions mimicked under official tools, for example, to work with KeepKey secure hardware wallets. During installation, the user was required to log into the account in a real cryptocurrency service. If the victim entered the credentials, the attackers withdrew the money from her account.

April patches. Intel closesvulnerabilities in NUC series computers (privilege escalation with local access). Microsoft fixes 113 vulnerabilities , including four actively exploited. Adobe updates ColdFusion and AfterEffects .

Kaspersky Lab publishes2019 Spam Evolution Report. 56% of messages account for spam in the total mail traffic, a fifth of junk messages are sent from China. Most spam emails are received by users from Germany, Russia and Vietnam. A substantial percentage of phishing messages are aimed at stealing accounts for banks, payment systems and popular network portals. The report contains many examples of fraud involving the dissemination of supposedly free products, access to fresh series of TV shows, and deception from the series “pay a dollar to get ten thousand.”