SpeakUp,a new backdoor Trojan targeting Linux servers, has the potential to evolve into something bigger and more harmful, according to security researchers.
Reported by Check Point Research earlier this week, the malware is named after its command-and-control (C&C) domain SpeakUpOmaha[dot]com, which was compromised to run a C&C code at the back end. The SpeakUp backdoor Trojan is currently being used in a cryptomining campaign targeting servers in East Asia and Latin America, including systems hosted on AWS.
SpeakUp exploits known vulnerabilities in six different Linux distributions, said Lotem Finkelsteen, head of threat intelligence at Check Point Software Technologies.
“This is a malware that sits on a machine and waits for someone to send a command or additional malware for further stages,” Finkelsteen said. “For example, it waits for second stage malware to be installed on the machine and execute some of the commands, like harvesting all passwords, or intercepting all communication, or it can also be ransomware, or any other kind of malware that the threat actor would like to use or run on the infected machine.”
The fact that there are many servers out there that listen and wait for further commands and are able to receive any malware and execute it instantly, Finkelsteen said, is very disturbing.
“One possible scenario is that the attacker already has his doomsday weapon and can launch it at any given time; but if he does not have such a cyber weapon, he can rent the same servers to the highest bidder, and then we are exposed to hackers with many different capabilities,” he said.
Lotem Finkelsteen, head of threat intelligence at Check Point
According to the report, the initial infection vector is targeting the recently reported vulnerability in ThinkPHP — CVE-2018-20062– and uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor.
The affected Linux distributions are JBoss Enterprise Application Platform Multiple, JBoss Seam Framework, JBoss AS 3/4/5/6, Oracle WebLogic, Hadoop Yarn, Apache ActiveMQ and ThinkPHP, Finkelsteen said.
The SpeakUp attack is gaining momentum, Check Point researchers found. Finkelsteen said any vulnerable servers that are open to the internet are at risk, regardless of where they are hosted.
The SpeakUp backdoor Trojan also has the ability to infect Mac devices, the report stated.
Defending against the SpeakUp backdoor Trojan
One way to protect against malware like SpeakUp, Finkelsteen said, is to patch the vulnerable servers.
“Everyone should be on point with the patches available out there for different distributions to avoid future exploitation,” he said. “However, I understand from my experience in the IT domain that it’s very difficult to patch so many servers and to be on point with every patch that is available out there.”
He suggested virtual patching as an alternative.
“With so many new vulnerabilities, the more feasible alternative is [to] set up an IPS solution; it is like a virtual patching of all vulnerabilities and exploits in the wild,” he said.
Finkelsteen also advised companies to adopt proper cloud environment management practices.
“We assume that once we move everything to the cloud we are protected against such threats, but the thing is that we tend to open servers to the internet and once we do it we expose them to such attacks,” he said. “We would also have to make sure that our cloud environment is configured the right way and is not exposed to the internet without proper protections to intermediate or to intercept the connections between the internet and our crown jewels.”