Home Monero DreamBus botnet targets enterprise apps running on Linux servers

DreamBus botnet targets enterprise apps running on Linux servers

5 min read


Picture: Zscaler

Chances are high that in the event you deploy a Linux server on-line as of late and you allow even the tiniest weak point uncovered, a cybercrime group will ensnare it as a part of its botnet.

The newest of those threats is known as DreamBus.

Analyzed in a report printed final week by safety agency Zscaler, the corporate mentioned this new risk is a variant of an older botnet named SystemdMiner, first seen in early 2019.

However present DreamBus variations have acquired a number of enhancements in comparison with preliminary SystemdMiner sightings [123].

Presently, the botnet targets enterprise-level apps that run on Linux methods. Targets embody a large assortment of apps, reminiscent of PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service.

A few of these apps are focused with brute-force assaults in opposition to their default administrator usernames, others with malicious instructions despatched to uncovered API endpoints, or through exploits for older vulnerabilities.

The concept is to provide the DreamBus gang a foothold on a Linux server the place they might later obtain and set up an open-source app that mines the Monero (XMR) cryptocurrency to generate earnings for the attackers.

Moreover, every of the contaminated servers can be used as a bot within the DreamBus operation to launch additional brute-force assaults in opposition to different attainable targets.

Zscaler additionally mentioned that DreamBus employed fairly a couple of measures to stop straightforward detection. Certainly one of them was that each one methods contaminated with the malware communicated with the botnet’s command and management (C&C) server through the brand new DNS-over-HTTPS (DoH) protocol. DoH-capable malware is very rare, because it’s complicated to arrange.

Moreover, to stop the C&C server from being taken down, the DreamBus gang hosted it on the Tor community; through a .onion deal with.

However regardless of all these protecting measures, Zscaler’s Brett Stone-Gross believes we’re seeing yet one more botnet birthed and operated out of Russia, or Jap Europe.

“Updates and new instructions are issued that usually begin round 6:00 a.m. UTC or 9:00 a.m. Moscow Normal Time (MSK) and finish roughly at 3:00 p.m. UTC or 6:00 p.m. MSK,” the researcher mentioned.

However Stone-Gross additionally warned firms to not take this botnet calmly. Positive, the botnet delivers a cryptocurrency miner proper now, however the Zscaler researcher believes operators may simply pivot to extra harmful payloads, reminiscent of ransomware, at any time they wished.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

Coinbase files to become first listed US cryptocurrency exchange – Financial Times

Coinbase, the biggest US-based cryptocurrency trade, revealed the dimensions of its enterp…