New Linux malware steals SSH credentials from supercomputers

[mood]

New Linux malware steals SSH credentials from supercomputers

 

 

A new backdoor has been targeting supercomputers across the world, often stealing the credentials for secure network connections by using a trojanized version of the OpenSSH software.

 

The malware is not widespread and appears to target mostly high-performance computers (HPC) and servers on academic and research networks.

Multiplatform, high-profile targets

Security researchers at cybersecurity company ESET discovered the malware and named it Kobalos, after the misbehaving creature in Greek mythology.

 

They say that Kobalos has a small but complex codebase that can execute on other UNIX platforms (FreeBSD, Solaris). Some artifacts discovered during the analysis indicate that there may also be variants for AIX and Windows operating systems.

 

After creating a fingerprint for the threat, ESET ran internet-wide scans to find Kobalos victims. They discovered that many of the compromised systems were supercomputers and servers in the academic and research sector. Other victims include an endpoint of an undisclosed software security vendor in North America, a large ISP in Asia, marketing agencies, and hosting providers.

 

 

ESET could not establish the initial attack vector that allowed the hackers to gain administrative access to install Kobalos. However, some of the compromised systems "ran old, unsupported, or unpatched operating systems and software," so exploiting a known vulnerability is a likely scenario.

Stealing SSH creds

Although the researchers spent months analyzing the malware, they could not determine its exact purpose because of the generic commands included and no specific payload.

 

Kobalos provides remote access to the file system and it can spawn terminal sessions, which lets the attackers run arbitrary commands. Some details are available, though.

"On compromised machines whose system administrators were able to investigate further, we discovered that an SSH credential stealer was present in the form of a trojanized OpenSSH client. The /usr/bin/sshfile was replaced with a modified executable that recorded username, password and target hostname, and wrote them to an encrypted file" - ESET

 

The researchers believe that credential theft could explain how the malware spreads to other systems on the same network or other networks in the academic sector since students and researchers from multiple universities may have SSH access to supercomputer clusters.

Tiny, complex backdoor

Despite being lightweight, only 24KB for 32/64-bit samples, Kobalos is a complex piece of malware with custom obfuscation and anti-forensics techniques that hinder its analysis, and with plenty of features for its small size.

 

An interesting feature that sets Kobalos apart is that its code is bundled into a single function and there is only one call from the legitimate OpenSSH code to it. It has a non-linear control flow, though, recursively calling that function to perform subtasks - supports a total of 37 actions, one of which can turn any compromised machine into a command and control (C2) server for others.

 

 

The researchers discovered that remote operators have three options to connect to Kobalos:

• open a TCP port and waiting for an incoming connection (sometimes called a passive backdoor)
• connect to another instance of Kobalos configured to run as a C2 server
• wait for connections to an already running, legitimate service but coming from a specific TCP source port (trojanize the running OpenSSH server)

 

Kobalos also encrypts the traffic to and from the attackers. To achieve this, clients need to authenticate using an RSA-512 key and a password. The key generates and encrypts two 16-byte keys that encrypt the communication using the RC4 stream cipher.

 

Furthermore, the backdoor can switch communication to an alternative port and act as a proxy (chainable) to reach other compromised servers.

 

 

Given the tiny codebase and the power it packs, ESET says that the sophistication of Kobalos "is only rarely seen in Linux malware," which indicates a developer with much better skills than the average Linux malware author.

 

While the complexity of the malware is undisputed, questions remain about the attacker's objective and the period Kobalos has been in use (some of the strings found relate to Windows 3.11 and Windows 95, which are more than 25 years old).

 

What is certain is that Kobalos is stealing SSH credentials from high-profile victims that include high-performance computer clusters and that it has been active before other attacks against supercomputers recorded since late 2019.

 

Furthermore, unlike the already reported incidents involving HPC networks, system administrators did not find any attempt to mine for cryptocurrency or run computationally expensive tasks in the case of Kobalos.

 

ESET notified all Kobalos victims they could identify and worked with them to remediate the infection. The researchers published a full technical analysis of Kobalos that includes indicators of compromise (IoCs) that can help potential victims detect the malware.

 

 

Source: New Linux malware steals SSH credentials from supercomputers

[aum]

This Linux malware is hijacking supercomputers across the globe

 

Kobalos’ codebase is tiny, but its impact is not.

 

A small but complex malware variant is targeting supercomputers worldwide.

 

Reverse engineered by ESET and described in a blog post on Tuesday, the malware has been traced back to attacks against supercomputers used by a large Asian Internet Service Provider (ISP), a US endpoint security vendor, and a number of privately-held servers, among other targets. 

 

The cybersecurity team has named the malware Kobalos in deference to the kobalos, a small creature in Greek mythology believed to cause mischief. 

 

Kobalos is unusual for a number of reasons. The malware's codebase is tiny but is sophisticated enough to impact at least Linux, BSD, and Solaris operating systems. ESET suspects it may possibly be compatible with attacks against AIX and Microsoft Windows machines, too. 

 

"It has to be said that this level of sophistication is only rarely seen in Linux malware," commented cybersecurity researcher Marc-Etienne Léveillé.

 

While working with the CERN Computer Security Team, ESET realized the "unique, multiplatform" malware was targeting high performance computer (HPC) clusters. In some cases of infection, it appears that 'sidekick' malware hijacks SSH server connections to steal credentials that are then used to obtain access to HPC clusters and deploy Kobalos. 

 

"The presence of this credential stealer may partially answer how Kobalos propagates," the team says. 

 

Kobalos is, in essence, a backdoor. Once the malware has landed on a supercomputer, the code buries itself in an OpenSSH server executable and will trigger the backdoor if a call is made through a specific TCP source port.

 

Other variants act as middlemen for traditional command-and-control (C2) server connections.

 

Kobalos grants its operators remote access to file systems, allows them to spawn terminal sessions, and also acts as connection points to other servers infected with the malware. 

 

ESET says that a unique facet of Kobalos is its ability to turn any compromised server into a C2 through a single command. 

 

"As the C2 server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C2 server," the researchers noted. 

 

The malware was a challenge to analyze as all of its code is held in a "single function that recursively calls itself to perform subtasks," ESET says, adding that all strings are encrypted as a further barrier to reverse engineering. As of now, more research needs to be conducted in the malware -- and who may be responsible for its development.

 

"We were unable to determine the intentions of the operators of Kobalos," ESET commented. "No other malware, except for the SSH credential stealer, was found by the system administrators of the compromised machines. Hopefully, the details we reveal today in our new publication will help raise awareness around this threat and put its activity under the microscope."

 

Source

 

[aum]

A New Linux Malware Targeting High-Performance Computing Clusters

 

 

High-performance computing clusters belonging to university networks as well as servers associated with government agencies, endpoint security vendors, and internet service providers have been targeted by a newly discovered backdoor that gives attackers the ability to execute arbitrary commands on the systems remotely.

 

Cybersecurity firm ESET named the malware "Kobalos" — a nod to a "mischievous creature" of the same name from Greek mythology — for its "tiny code size and many tricks."

 

"Kobalos is a generic backdoor in the sense that it contains broad commands that don't reveal the intent of the attackers," researchers Marc-Etienne M. Léveillé and Ignacio Sanmillan said in a Tuesday analysis. "In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers."

 

Besides tracing the malware back to attacks against a number of high-profile targets, ESET said the malware is capable of taking aim at Linux, FreeBSD, Solaris, and possibly AIX and Windows machines, with code references hinting at Windows 3.11 and Windows 95 legacy operating systems.

 

Kobalos infections are believed to have started in late 2019 and have since continued to remain active throughout 2020.

 

The initial compromise vector used to deploy the malware and the ultimate objective of the threat actor remains unclear as yet, but the presence of a trojanized OpenSSH client in one of the compromised systems alludes to the possibility that "credential stealing could be one of the ways Kobalos propagates."

 

 

 

No other malware artifacts were found on the systems, nor have there been any evidence that could potentially reveal the attackers' intent.

 

"We have not found any clues to indicate whether they steal confidential information, pursue monetary gain, or are after something else," the researchers said.

 

But what they did uncover shows the multi-platform malware harbors some unusual techniques, including features that could turn any compromised server into a command-and-control (C&C) server for other hosts compromised by Kobalos.

 

In other words, infected machines can be used as proxies that connect to other compromised servers, which can then be leveraged by the operators to create new Kobalos samples that use this new C&C server to create a proxy chain comprising of multiple infected servers to reach their targets.

 

To maintain stealth, Kobalos authenticates connections with infected machines using a 32-byte password that's generated and then encrypted with a 512-bit RSA private key. Subsequently, a set of RC4 keys are used — one each for inbound traffic and outbound traffic — for communications with the C&C server.

 

The backdoor also leverages a complex obfuscation mechanism to thwart forensic analysis by recursively calling the code to perform a wide range of subtasks.

 

"The numerous well-implemented features and the network evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems," the researchers said.

 

"Their targets, being quite high-profile, also show that the objective of the Kobalos operators isn't to compromise as many systems as possible. Its small footprint and network evasion techniques may explain why it went undetected until we approached victims with the results of our Internet-wide scan."

 

Source