A complex Linux malware dubbed Kobalos is targeting high performance cluster (HPC) computers around the globe.
ESET researchers discovered the malware consists of “tiny code size and many tricks” and targets multiple operating systems including Linux, BSD and Solaris. Moreover, AIX and Windows systems could also be targets.
“The way Kobalos is tightly contained in a single function and the usage of an existing open port to reach Kobalos makes this threat harder to find,” ESET warned in a recent blog post.
After ESET scanned the internet to find vulnerable systems, the researchers then identified multiple targets of Kobalos malware, including HPC systems.
“Kobalos is a generic backdoor in the sense that it contains broad commands that don’t reveal the intent of the attackers. In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers,” ESET wrote.
ESET further surmised that Kobalos likely used a credential stealer to propagate to other systems:
“Anyone using the SSH client of a compromised machine will have their credentials captured. Those credentials can then be used by the attackers to install Kobalos on the newly discovered server later.”
Mitigations
One of the key controls organizations should implement is two-factor authentication (2FA) when using SSH to connect to Linux servers.
In addition, administrators should make sure anti-malware solutions have signatures to detect password stealers Linux/SSHDoor.EV, Linux/SSHDoor.FB or Linux/SSHDoor.FC.
Finally, security teams can also detect Kobalos activity by looking for non-SSH traffic over SSH port (22) and also when Kobalos backdoor communicates with remote operator with no SSH banner exchanged.
Related Articles
- Pro-Ocean cryptojacking malware targets cloud applications
- The top 20 vulnerabilities to patch now (that are most under attack)
- Internet exposed Redis servers
- RedisWannaMine Unveiled
- Oracle vulnerability exploited to deliver dual Monero miners
- NSA: Guidance to mitigate cloud vulnerabilities
- FireEye publishes Microsoft 365 tools and hardening strategies to defend against SolarWinds attackers
- FBI issues Flash Alert on Netwalker ransomware