A new dangerous Linux backdoor could trigger severe attacks

Many researchers believe that this new Trojan could detonate an important wave of cyberattacks

Network security and ethical hacking researchers from the International Institute of Cyber Security reported the emergence of a cryptocurrency mining campaign that uses the Linux backdoor SpeakUp. According to reports, this campaign would have already infected more than 70k servers worldwide and could have laid the foundation for a massive botnet.

SpeakUp targets local servers as well as cloud-hosted machines (such as Amazon Web Services, for example); it is also believed that it is not only limited to acting on Linux, but it is also capable of infecting MacOS devices.

The network security specialist Oded Vanunu has mentioned that this attack extends to servers running ThinkPHP, Hadoop, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. In addition, the specialist stresses that because this software can be deployed on virtual servers, any infrastructure in the cloud could also be compromised.  

Infection begins when remote code execution vulnerability is detected (CVE-2018-20062); the code uses command-injection techniques to load a PHP shell that serves and runs a Perl backdoor.

SpeakUp has a Python script for its spread whose main functions are to use brute force against administrative panels and to scan the environment of the infected machine. For this, SpeakUp verifies the availability of specific ports on servers that share the same internal and external subnet mask. The idea is to scan and infect the most vulnerable Linux servers within their internal and external subnets, using a wide range of exploits.

For its propagation, SpeakUp exploits known vulnerabilities in six different Linux distros:

  • JBoss enterprise application platform security bypass (CVE-2012-0874)
  • JBoss Seam Framework Remote Code Execution Vulnerability (CVE-2010-1871)
  • Oracle Fusion Middleware Oracle WebLogic Server Component Vulnerability (CVE-2018-2894)
  • Hadoop YARN ResourceManager command execution exploit
  • Oracle WebLogic remote code execution vulnerability (CVE-2017-10271)
  • Apache ActiveMQ fileserver file upload vulnerability (CVE-2016-3088)

“Successful exploitation of one of these vulnerabilities will result in the implementation of the original script on the exploited server,” the network security experts mention. 

The file downloads that the backdoor is showing are simple cryptocurrency mining scripts; however, SpeakUp authors can download any kind of code to the servers. Some specialists consider that the injection of mining code could be a kind of beta test for future hacking activities. “The threat actor behind this campaign can at any time deploy additional, potentially more intrusive and offensive payloads. It has the ability to scan the network of an infected server and distribute malware”, the specialists concluded.

The first victims of SpeakUp were registered in Latin America and Asia, although experts consider that the United States could begin to record the first cases of SpeakUp infection in the coming days.