A new form of malware is targeting Linux servers and Internet of Things (IoT) devices and adding them to a botnet in what appears to be the first stage of a hacking campaign targeting cloud-computing infrastructure – although the purpose of the attacks remains unclear.
Uncovered by cybersecurity researchers at Juniper Threat Labs, the malicious worm has been dubbed Gitpaste-12, reflecting on how it uses GitHub and Pastebin for housing component code and has 12 different means of compromising Linux-based x86 servers, as well as Linux ARM- and MIPS-based IoT devices.
These include 11 known vulnerabilities in technology including Asus, Huawei and Netlink routers, as well as the likes of MongoDB and Apache Struts, and the ability to compromise systems by using brute force attacks to crack default or common usernames and passwords.
After using one of these vulnerabilities to compromise the system, Gitpaste-12 downloads scripts from Pastebin in order to provide commands before also downloading further instructions.
The malware aims to switch off defences including firewalls and monitoring software that would otherwise respond to malicious activity.
Gitpaste-12 also contains commands to disable cloud security services of major Chinese infrastructure providers including Alibaba Cloud and Tencent, indicating the botnet might be the first stage of a large multi-stage operation by attackers – although the ultimate purpose of what this could be for remains unknown.
However, the malware does currently have the capability to run cryptomining, meaning the attackers can abuse the computing power of any compromised system to mine for Monero cryptocurrency.
The botnet also has the ability to work as a worm that uses compromised machines to launch scripts against other vulnerable devices on the same or connected networks in an effort to replicate and spread the malware.
"No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet," researchers wrote in a blog post.
The Pastebin URL and GitHub repository being used to provide instructions to the malware have both been shut down after being reported by researchers, something which should stop the proliferation of the botnet for now. However, researchers also note that Gitpaste-12 is under ongoing development, which means there's a risk that it could return.
However, it's possible to help protect against Gitpaste-12 by cutting off the main way in which it spreads by applying the security patches which close the known vulnerabilities it exploits.
Users should also avoid using default passwords for IoT devices as this helps protect against brute force attacks that rely on exploiting default credentials and other common passwords.
MORE ON CYBERSECURITY
- How poor IoT security is allowing this 12-year-old malware to make a comeback
- How to secure your IoT devices from botnets and other threats TechRepublic
- IoT security: Why it will get worse before it gets better
- IoT attacks are getting worse -- and no one's listening CNET
- These software bugs are years old. But businesses still aren't patching them