Home Technology Hackers are taking over Linux devices en masse, Microsoft has warned

Hackers are taking over Linux devices en masse, Microsoft has warned

Hackers are taking over Linux devices en masse, Microsoft has warned

IoT devices and network equipment under Linux are under massive hacking attack
(photo: CC0 Public Domain)

Mlarge-scale campaign targeting Linux network devices, security experts at Microsoft. Using the “brute force” technique, nhijackers install “back doors” and “cryptominers” in the infected systems.

Internet of Things (IoT) devices and other Internet-accessible Linux network equipment were attacked. Attackers apply “brute force” to guess passwords, gain initial access to the system, and then install an OpenSSH trojan package that acts as a backdoor, steals SSH access credentials, and resides permanently on the infected system.

“The installed updates add hooks that intercept the passwords and keys of SSH connections on the device – both client and server,” Microsoft explained in a security bulletin.

According to experts, these updates allow attackers to gain SSH access with superuser (root) rights and suppress the logging of all their SSH sessions, thereby hiding their presence. For this purpose, they use a special password.

The backdoor script, which is installed at the same time as the OpenSSH Trojan executable, adds two public keys to the authorized_keys file for permanent SSH access. The package also allows attackers to install rootkits (specifically, the LKM rootkits Reptile and Diamorphine) to hide the traces of malicious activity.

In addition, the malware detects and eliminates the processes of competing cryptominers (by identifying them by name) or simply blocks traffic to them by introducing new rules in the iptables and /etc/hosts files. Competitors’ SSH access settings are also removed from authorized_keys.

In addition, the attackers install on the attacked device a version of the open source IRC bot ZiggyStarTux, which is used to execute bash commands and, if necessary, launch DDoS attacks. ZiggyStrTux is registered as a systemd service (the corresponding file is registered in /etc/systemd/system/network-check.service).

Backdoor uses numerous techniques to ensure a constant presence on compromised systems by duplicating executable files in multiple locations on the device and configuring cron jobs that run regularly.

Communications between ZiggyStarTux bots and IRC servers are masked using a subdomain that belongs to a legitimate Southeast Asian financial institution.

During the investigation, Microsoft experts found that the bots downloaded and executed additional shell scripts for “brutal attacks” on every active host on the subnet where the compromised device was located, and installed backdoors in them.

One of the scripts the hackers uploaded to the attacked devices downloaded a malware archive written specifically for Hiveon OS, an open-source Linux-based operating system designed for cryptomining.

Microsoft traced the mastermind behind the campaign to an alias on the hacker forum cardingforum.cx. User asterzeu offers multiple hacking tools, including an SSH backdoor. In 2015, judging by the mailing address, the same user registered the madagent.tm domain. The servers connected to it also use the madagent.cc domain and this is one of ZiggyStarTux’s command and control servers.

The backdoor was used by multiple attackers at once, according to a Microsoft post, indicating the existence of an entire network of tools and infrastructure. It is distributed to partners or sold to hacking platforms, according to the “malware-as-a-service” model.

Microsoft recommends strengthening the security of network devices accessible over the Internet, installing all the latest updates, and generally limiting SSH access as much as possible to make brute force attacks pointless.


Please enter your comment!
Please enter your name here