Network security researchers from Netlab firm have just released a report that mentions that Linux servers running no patched Webmin installations are under a serious attack campaign that aims to integrate the compromised implementations to a botnet known as Roboto.
During their research, specialists were able to collect the bot and the download botnet modules, so new findings are expected to be released in the future.
Early analysis published by network security firm shows that the Roboto bot has seven different functions, including:
- Reverse Shell
- Automatic uninstalling
- Commands execution
- Collection and extraction of network information
- Execution of encrypted payload from a remote URL
- Deployment of Denial of Service (DoS) attacks
The report highlights that, although the DoS module supports four different attack variants depending on the permissions hackers can get on the target Linux system, a single Roboto DoS attack has not yet been detected since the activity of this botnet began.
With regard to the integration into the botnet of a compromised system, threat actors exploit Remote Code Execution (RCE) vulnerability in Webmin. This flaw, tracked as CVE-2019-15107, allows hackers to deliver the malicious download module to Linux servers running vulnerable installations of the Unix Webmin system management tool.
Network security experts say there are now more than one million vulnerable Webmin installations. Moreover, the team in charge of the Shodan tool mentions that there are about 230 thousand potentially exposed servers, while BinaryEdge discovered about 450 thousand. It is important to note that not all Webmin servers found in Internet scans run vulnerable versions of the Linux system.
In their report, the researchers also mentioned that the server that attacked its honeypot to deliver the Roboto download module ran a Webmin service on TCP/10000 port, an indication that hackers are using pre-infected systems to integrate more devices into the botnet.
This bot also uses various algorithms to ensure the integrity of its components and the P2P network, as well as creating the auto-start script and hiding its files and processes, ensuring its persistence on the compromised system.
Although P2P botnets are not too common, they have recorded their presence for at least ten years with the well-known Nugache and Storm, Sality P2P, Miner, Zeus P2P, among others.
Although these botnets are known for their great resistance against some attack variants, it is possible to disrupt their operation and force operators to interrupt their attacks.
In the absence of the publication of more details about this botnet, network security specialists from the International Institute of Cyber Security (IICS) recommend that administrators check if their facilities have the appropriate patches to mitigate the risk of attack.