Security Week 17: Impact of Linux Server Attacks

An interesting study about attacks on Unix-like systems was published last week. It describes how to create a hanipot from a Docker container (news, source article Akamai). Docker was not required to be used, because the behavior of the “bot drivers” from the report is no different from an attack on any other Linux-system accessible from the network with a default password. But when working with Docker, the likelihood of operator error increases – when a container accessible from the network with the default settings accidentally rises.

Accordingly, the “hacking” in this experiment is very simple: the image was raised with an easily guessed password for the root account, or rather, several typical login-password pairs such as root: root or oracle: oracle were investigated. Of interest are the further actions of the attackers. For a number of successful logins, the scenario was the same: the hacked system was used as a proxy server, and not even for criminal cases – traffic from Netflix, Twitch, and the like services was noticed, obviously, to circumvent regional restrictions. But there have been successful attempts to connect the system to the botnet.

Expectedly, the server was attacked by various incarnations of the Mirai botnet, which, after publishing the original source code on the network, were numerous. In one case, the attackers installed a cryptocurrency miner on the server, while simultaneously providing the possibility of re-entry: the root password was changed to empty and the ssh key was added. The miner itself is registered in the cron scheduler to start after reboot, and in the list of processes it pretends to be a dhcp client.

Finally, an attempt was made to turn an insecure container into a mail server. It was used to support fraudulent transactions, in this case, to spread the fake “work on the Internet.” Fraudsters offered victims to buy expensive goods in electronics stores, send them to the specified addresses, and then wait for “compensation and rewards”. Naturally, there were no payments, and purchases through other participants in the operation (often unaware of this) were sold by hand. The mail server was used both for spamming and for automated communication with those who succumbed to promises of quick money. A good argument for protecting your own server infrastructure: a hacked server can not only lead to personal losses for you, but will also be used to deceive other people.

What else happened:

Research Palo Alto Networks considers malicious code used in attacks on Citrix Gateway servers and a number of other corporate solutions in which at the end of last year discovered serious vulnerability. The malware takes control of systems based on the FreeBSD OS and is used for espionage.

Interesting posted study a botnet that pretends to be smart TV. The purpose of fraud is to trick advertisers. The bot farm closed the screenings of advertising videos, which in a normal situation would have been delivered to applications on TVs of real users.

Threatpost Edition leads examples “Double extortion” in attacks using trojan cryptographers. Cybercriminals not only demand money for decrypting the data, but later they threaten to publish the stolen information if an additional ransom is not paid. The prevalence of such attacks suggests that the ransom is not worth paying in any case.

Chrome extensions were found in the Chrome extension store removed fake add-ons for working with cryptocurrencies. A set of extensions mimicked under official tools, for example, to work with KeepKey secure hardware wallets. During installation, the user was required to log into the account in a real cryptocurrency service. If the victim entered the credentials, the attackers withdrew the money from her account.

April patches. Intel closes vulnerabilities in NUC series computers (privilege escalation with local access). Microsoft fixes 113 vulnerabilitiesincluding four actively exploited. Adobe updates Coldfusion and Aftereffects.

Kaspersky Lab publishes 2019 Spam Evolution Report. 56% of messages account for spam in the total mail traffic, a fifth of junk messages are sent from China. Most spam emails are received by users from Germany, Russia and Vietnam. A substantial percentage of phishing messages are aimed at stealing accounts for banks, payment systems and popular network portals. The report contains many examples of fraud involving the dissemination of supposedly free goods, access to fresh series of TV shows, and deception from the series “pay a dollar to get ten thousand.”