A compromise of the kernel.org servers that host Linux kernel development lasted from 2009 well into 2011, with a rootkit known as Phalanx being used to effect entry, the Slovakian security firm ESET says in a detailed report published on Tuesday.
In a 2014 report, ESET claimed a second piece of malware, Ebury, an OpenSSH backdoor and credential stealer, had likely been also placed on these systems ar the time of kernel.org breach.
"Data now at our disposal reveals additional details about the incident," ESET researcher Marc-Etienne M. Léveillé wrote on Tuesday. "Ebury had been installed on at least four servers belonging to the Linux Foundation between 2009 and 2011.
"It seems these servers acted as mail servers, name servers, mirrors, and source code repositories at the time of the compromise. We cannot tell for sure when Ebury was removed from each of the servers, but since it was discovered in 2011 it is likely that two of the servers were compromised for as long as two years, one for one year and the other for six months.
{loadposition sam08}"The perpetrator also had copies of the /etc/shadow files, which overall contained 551 unique username and hashed password pairs. The cleartext passwords for 275 of those users (50%) are in possession of the attackers. We believe that the cleartext passwords were obtained by using the installed Ebury credential stealer, and by brute force."
As iTWire reported, it took 17 days for the administrators at kernel.org to find out that their systems had been compromised. The breach was disclosed on 31 August 2011, but the admins kept mum about the fact that they had taken so long to find out about it.
The Linux Foundation published a long article about the breach written by prominent kernel developer Jonathan Corbet – but it didn't offer the public this fact either. That article has now disappeared from the Web.
The Linux team has never published a detailed account of the attack, preventing anyone from learning from the incident.
ESET described Ebury as "a shared library that, when loaded, alters the behaviour of the OpenSSH client and server, injects itself into programs that use the curl library so as to exfiltrate HTTP requests made by the system, and tampers with terminal sessions spawned over SSH to hide itself".
It was "used to deploy additional malware to monetise the botnet (such as modules for web traffic redirection), proxy traffic for spam, perform adversary-in-the-middle attacks, and host supporting malicious infrastructure. Its operators have used the Ebury botnet to steal cryptocurrency wallets, credentials, and credit card details", Léveillé wrote.
ESET's 2014 report, titled Operation Windigo, pointed out that this was a campaign that used Linux malware to make money.
Léveillé wrote: "The arrest and conviction of one of the Ebury perpetrators, following the [publication of the] Operation Windigo paper did not stop the botnet from expanding. Ebury, the OpenSSH backdoor and credential stealer, was still being updated, as we reported in 2014 and 2017.
"We maintain honeypots to track new samples and network indicators. However, it has become more and more difficult to run such honeypots as Ebury evolved. For instance, one of our honeypots did not react exactly as expected when Ebury was installed.
"After spending hours trying to debug what was going on, Ebury operators finally abandoned the server and sent a message to show that they knew about our attempts at tricking them, as shown in Figure 1 [see below]."
Interactions between the Ebury perpetrators and an ESET-operated honeypot, showing that the operators had flagged this system as a honeypot.
Léveillé said the Dutch National High Tech Crime Unit had reached out to ESET in 2021 after finding Ebury on the server of a victim of cryptocurrency theft. "Working together, we gained great visibility into the recent activities of the group and the malware it uses," he added.
The new methods that Ebury uses to infect servers are shown in the figure below.
Different methods used by the Ebury gang to compromise new servers.
Léveillé noted that many hosting providers were among the victims. "The gang leverages its access to the hosting provider’s infrastructure to install Ebury on all the servers that are being rented by that provider," he explained.
"As an experiment, we rented a virtual server from one of the compromised hosting providers: Ebury was installed on our server within seven days."
He said another interesting method was the use of adversary in the middle to intercept SSH traffic of interesting targets inside data centres and redirect it to a server used to capture credentials, as summarised in the figure below.
Overview of AitM attacks perpetrated by the Ebury gang.
"Ebury operators leverage existing Ebury-compromised servers in the same network segment as their target to perform ARP spoofing. According to Internet telemetry, more than 200 servers were targeted in 2023," Léveillé said.
"Among the targets are bitcoin and ethereum nodes. Ebury automatically steals cryptocurrency wallets hosted on the targeted server once the victim types the password to log into it."
All graphics courtesy ESET