May 15, 2024 at 08:00AM
The Ebury Linux botnet, active since 2009, has continued to grow, with over 100,000 infected systems in 2023, and it has impacted over 400,000 hosts. ESET reports that the operators are highly active, using various tactics to compromise and exploit servers, including targeting Tor exit nodes and cryptocurrency wallets.
Key Takeaways from the Meeting Notes:
– The Ebury Linux botnet has expanded continuously over the past decade and had approximately 100,000 infected systems by the end of 2023.
– The botnet, initially uncovered in 2014 with 25,000 systems, has survived a takedown attempt and continues to receive constant updates, infecting over 400,000 hosts since 2009.
– Many of the infected systems are servers of hosting providers, allowing the attackers to intercept SSH traffic and redirect it to capture login credentials.
– The botnet operators are highly active, using zero-day exploits in administrator software, targeting other threat actors’ infrastructure, and deploying new malware to perform web traffic redirection.
– Ebury is being deployed with root privileges, using techniques such as credential stuffing, access to hypervisors, and SSH adversary-in-the-middle (AitM) attacks.
– The botnet’s operators have exploited zero-day bugs, compromised the infrastructure of other malware operators, and used various persistence techniques, such as hijacking libraries and replacing original binaries with backdoored versions.
– Ebury stores state information, configuration, and harvested credentials in memory, and the operators connect to compromised servers periodically to exfiltrate harvested credentials.
– The recent Ebury activity has shown a shift in monetization tactics, including cryptocurrency and credit card data theft, spam sending, and credential theft, utilizing specific Apache modules, kernel modules, firewall evasion tools, and AitM attacks.
Please let me know if there’s anything else you need assistance with.