Network security researchers from Netlab firm have just released a report that mentions that Linux servers running no patched Webmin installations are under a serious attack campaign that aims to integrate the compromised implementations to a botnet known as Roboto.
During their research, specialists were able to
collect the bot and the download botnet modules, so new findings are expected
to be released in the future.
Early analysis published by network security
firm shows that the Roboto bot has seven different functions, including:
- Reverse
Shell - Automatic
uninstalling - Commands
execution - Collection
and extraction of network information - Execution
of encrypted payload from a remote URL - Deployment
of Denial of Service (DoS) attacks
The report highlights that, although the DoS
module supports four different attack variants depending on the permissions hackers
can get on the target Linux system, a single Roboto DoS attack has not yet been
detected since the activity of this botnet
began.
With regard to the integration into the botnet
of a compromised system, threat actors exploit Remote Code Execution (RCE)
vulnerability in Webmin. This flaw, tracked as CVE-2019-15107, allows hackers
to deliver the malicious download module to Linux servers running vulnerable
installations of the Unix Webmin system management tool.
Network security experts say there are now more
than one million vulnerable Webmin installations. Moreover, the team in charge
of the Shodan tool mentions that there are about 230 thousand potentially exposed
servers, while BinaryEdge discovered about 450 thousand. It is important to
note that not all Webmin servers found in Internet scans run vulnerable
versions of the Linux system.
In their report, the researchers also mentioned
that the server that attacked its honeypot to deliver the Roboto download
module ran a Webmin service on TCP/10000 port, an indication that hackers are
using pre-infected systems to integrate more devices into the botnet.
This bot also uses various algorithms to ensure
the integrity of its components and the P2P network, as well as creating the
auto-start script and hiding its files and processes, ensuring its persistence
on the compromised system.
Although P2P botnets are not too common, they
have recorded their presence for at least ten years with the well-known Nugache
and Storm, Sality P2P, Miner, Zeus P2P, among others.
Although these botnets are known for their
great resistance against some attack variants, it is possible to disrupt their
operation and force operators to interrupt their attacks.
In the absence of the publication of more
details about this botnet, network security specialists from the International
Institute of Cyber Security (IICS) recommend that administrators check if their
facilities have the appropriate patches to mitigate the risk of attack.
