Security Researchers have discovered a new backdoor trojan, dubbed as ‘SpeakUp’ which exploits known vulnerabilities in six different Linux distributions and has the ability to infect MacOS. This trojan discovered by Check Point Research, is being utilised in a crypto mining campaign that has targeted more than 70,000 servers worldwide so far. Attackers have been using SpeakUp in a campaign to deploy Monero cryptocurrency miners on infected servers thus earning around 107 Monero coins (around $4,500).
Last month, the backdoor was spotted for the first time and researchers discovered a built-in Python script that allowed the trojan to spread through the local network, laterally. The virus remains undetected, has complex propagation tactics, and the threat surface contains servers that run the top sites on the internet.
What can this trojan do?
Vulnerable systems that have been affected by this trojan allow the hackers to perform a host of illicit activities like modification of the local cron utility to gain boot persistence, take control over shell commands, execute files downloaded from a remote command and control (C&C) server, and update or uninstall itself.
According to the researchers, SpeakUp has already been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. The hackers behind SpeakUp are using an exploit for the ThinkPHP framework to infect servers and the researchers have not seen the attackers targeting anything except ThinkPHP. The trojan has been crafted with complexity and can scan local networks for open ports, use a list of pre-defined usernames and passwords to brute-force nearby systems and take over unpatched systems using one of these seven exploits:
- CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
- CVE-2010-1871: JBoss Seam Framework remote code execution
- JBoss AS 3/4/5/6: Remote Command Execution
- CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
- CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
- Hadoop YARN ResourceManager – Command Execution
- CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.
Security researchers have also pointed out to the fact that the SpeakUp’s authors have the ability to download any code they want to the servers. “SpeakUp’s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.”
According to Threatpost, Oded Vanunu, head of products vulnerability research for Check Point, said that “the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. Since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.”
According to the analysis by Check Point Research, the malware is currently distributed to Linux servers mainly located in China. Lotem Finkelstein, one of the Check Point researchers told ZDNet that “the infections in non-Chinese countries comes from SpeakUp using its second-stage exploits to infect companies’ internal networks, which resulted in the trojan spreading outside the normal geographical area of a Chinese-only PHP framework.”
You can head over to Check Point Research official post for a break down of how this trojan works as well as an analysis of its impact.