METHOD – New OpenSSH backdoors exploiting Linux servers discovered

ESET recently released a report listing 21 in-the-wild OpenSSH malware families reportedly targeting the portable OpenSSH used in Linux OS, out of which 12 appears to have not been documented before.

This report comes as a follow up of the ESET 2014 research “Operation Windigo”, originally focusing on Linux server-side credential stealing malware campaign with the Ebury OpenSSH backdoor at its core. The ESET group then went on to analyze other OpenSSH backdoors that were detected during the operation “Windigo” and mostly unknown to the broader security community. They were able to do so by employing the Windigo Perl script with signatures aimed at 40 different backdoors. In brief, with this script the attackers originally attempted to detect other OpenSSH backdoors before deploying the Ebury, researchers said.

Among the observed malware samples, some were found to present similarities and shared techniques and were all the result of a few critical functions’ modifications. If none of them used complex obfuscating methods, most of them log the passwords supplied by the users and almost all of them exfiltrate the data by copying the credentials to a local file. Additionally, 9 out of 21 of the backdoor families also pushed the data to a C2 server using common network ports such as port 80 (HTTP), 443 (HTTPS) and 1194 (OpenVPN), usually left open on network firewalls. Rare cases also presented data exfiltration by email.

The raw data of the research did not provide information on the infection vector used in the initial compromise. However, they shed some light on how they extended their reach. All backdoors in fact embedded the credential-stealing functionality and could spread exploiting such stolen credentials. Among the more sophisticated samples that were examined, some of the other most interesting features were the ability to receive commands through the SSH password (the Chandrila backdoor); the implementation of a crypto-mining extension (the Bonadan backdoor); and a bot functionality (the Kessel backdoor). The ESET report includes a detailed feature grid for each analyzed OpenSSH backdoor family.

Proficio Threat Intelligence Recommendations:

  • Since brute-force could be used in gaining access through SSH password authentication, consider utilizing long and complex passphrases; enabling key-based authentications; disabling remote root login, and using multi-factor authentication via the PAM (Pluggable Authentication Module).
  • Consider blocking IP addresses attempting brute force attacks by using, for example, the Fail2ban software.
  • Update IDS/IPS to take appropriate actions when triggering on the IOCs listed in the ESET report.

ESET Report – Click Here

Method: Linux Malware – GoScanSSH

Researchers at Cisco Talos during an incident response engagement have identified a new malware family being used to compromise SSH servers exposed to the internet, called GoScanSSH. The malware is written in Go, a programming language created at Google in 2009. The infection methods being used were SSH brute force attacks against public facing SSH services. Once a host has been infected, it reaches out to domains over Tor2Web as part of command and control. According to Cisco Talos, the attack campaign has been ongoing for at least nine months. Something that is out of the ordinary regarding the campaign is the malware has a component, which was built in to avoid compromising certain government domains (.mil, .gov, .army, etc.).

Technical analysis of sample malware –

Proficio Threat Intelligence Recommendations:

  • Restrict public facing SSH access to only the parties who need direct access to it.
  • Use strong passwords for any type of SSH authentication open to the internet.
  • Apply tools such as Fail2Ban to mitigate the risk of brute force attacks

Recommended Action for Linux Kernel Vulnerability

Recently, a critical zero day vulnerability in a Linux kernel module was publicized. If successfully exploited on a Linux device, this vulnerability would allow an attacker to potentially execute arbitrary code with escalated privileges.

Devices running Linux kernel 3.8 or higher are potentially vulnerable to this bug, meaning millions of Linux devices and around two thirds of all Android devices are potentially affected. Relevant IoT devices could be vulnerable as well. At time of writing, there have been no publicized observations of exploits against this vulnerability in the wild. Given the sheer number of possible devices vulnerable, we advised all of our customers to review their systems for the vulnerability and mitigate with the appropriate steps detailed below.

Vulnerability Details

The vulnerability, CVE-2016-0728, resides in the Linux kernel’s key retention service provided by a module that allows a process to store security information. Specifically, the bug can be exploited by a process making repeated calls to the keyctl system call where vulnerable code does not check for an integer overflow. If the counter is reset to zero, the kernel will then free the keyring object in memory where an attacker could then attempt an use-after-free attack.

When a process makes a keyctl call with a session key already in use, the Linux kernel will then increment a reference count (available to view in /proc/keys). This counter is a 32-bit integer, even on 64 bit systems. When the counter overflows, effectively returning to zero, the kernel will free the object and a malicious program may insert a crafted object running under escalated privileges.

In order to exploit this vulnerability, an attacker would need the ability to make keyctl calls on the target host. The attacker would also need to make 2^32-1 calls to keyctyl in order to reset the counter, then free the kernel object where the attacker could then leverage function pointers in the struct key_type object for remote code execution under escalated privileges. The researchers at Perception Point, who revealed this vulnerability, noted this exploit took some 30 minutes to run on an Intel Core i7-5500 CPU.

Click here for a more detailed technical description of this kernel service.

We recommend a careful review of all Linux based devices on your network that are using kernel version 3.8 or higher, specifically with “enable access key retention support” enabled. Wherever possible, vulnerable kernels should be patched immediately. Multiple versions of various Linux distributions, to include Red Hat Enterprise Linux 7, CentOS Linux 7, and Debian Linux 8.x and 9.x, are potentially vulnerable. Here’s a guide on which distributions have readied a patch and how to install.

Shellshock/Bash Vulnerability

Shellshock/Bash is a major new vulnerability that affects Unix, Linux and Mac users. This remote code execution vulnerability exists in almost every version of the GNU Bourne Again Shell (Bash). See CVE-2014-6271 in National Vulnerability Database:

Description of CVE-2014-6271:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in
OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

In our assessment, attacks over the internet via HTTP by worms or scripts are the biggest risk to organizations. A sample of HTTP attacks can be found at the following location:

Vulnerable Software and Versions:

* cpe:/a:gnu:bash:1.14.0
* cpe:/a:gnu:bash:1.14.1
* cpe:/a:gnu:bash:1.14.2
* cpe:/a:gnu:bash:1.14.3
* cpe:/a:gnu:bash:1.14.4
* cpe:/a:gnu:bash:1.14.5
* cpe:/a:gnu:bash:1.14.6
* cpe:/a:gnu:bash:1.14.7
* cpe:/a:gnu:bash:2.0
* cpe:/a:gnu:bash:2.01
* cpe:/a:gnu:bash:2.01.1
* cpe:/a:gnu:bash:2.02
* cpe:/a:gnu:bash:2.02.1
* cpe:/a:gnu:bash:2.03
* cpe:/a:gnu:bash:2.04
* cpe:/a:gnu:bash:2.05
* cpe:/a:gnu:bash:2.05:a
* cpe:/a:gnu:bash:2.05:b
* cpe:/a:gnu:bash:3.0
* cpe:/a:gnu:bash:3.0.16
* cpe:/a:gnu:bash:3.1
* cpe:/a:gnu:bash:3.2
* cpe:/a:gnu:bash:3.2.48
* cpe:/a:gnu:bash:4.0
* cpe:/a:gnu:bash:4.0:rc1
* cpe:/a:gnu:bash:4.1
* cpe:/a:gnu:bash:4.2
* cpe:/a:gnu:bash:4.3

What Should You Do?

1. If you are a user of our ProSCAN/Qualys Vulnerability scanning service, please contact us to schedule an emergency scan.
2. If you are using another vulnerability scanning tool, follow your vendor’s instructions.
3. Use official repositories to upgrade to the current release.
4. Verify with your vendors that this vulnerability has been patched.

What Else is Proficio Doing?

Proficio has patched any vulnerable systems within our own infrastructure. We are actively gathering indicators of attack and compromise and looking to apply detection indicators into our monitoring service.

Please feel free to contact us to discuss the best action for your organization.