Ebury: A Long-Lived Linux Botnet Still Lurking in the Shadows

Ebury Linux
Ebury Linux

A recent white paper by ESET, a cybersecurity company, sheds light on a persistent threat: the Ebury botnet. First identified in 2014, Ebury has remained active for over a decade, highlighting the evolving tactics of cybercriminals and the need for continuous vigilance.

Ebury’s Arsenal: Stealth and Subterfuge

Ebury primarily targets Linux servers, exploiting vulnerabilities and weak credentials to gain access. Once established, it hides its presence by:

  • Functioning as a shared library: Ebury alters the behavior of programs by injecting itself as a shared library. This makes detection difficult as it doesn’t appear as a separate process.
  • Hijacking communication: Ebury intercepts HTTP requests made by the system, potentially stealing sensitive data like login credentials.
  • Tampering with terminal sessions: Ebury can manipulate terminal sessions to mask its activity, further hindering its detection.

These techniques allow Ebury to operate unseen, stealing valuable data and potentially serving as a launching point for further attacks on a compromised system.

According to Eset research paper, a total of 400k Linux servers were compromised to steal cryptocurrency and financial gain.

  • Ebury actors have been pursuing monetization activities subsequent to our 2014 publication on Operation Windigo, including the spread of spam, web traffic redirections, and credential stealing.
  • Additionally, we have confirmed that operators are also involved in cryptocurrency heists by using AitM and credit card stealing via network traffic eavesdropping, commonly known as server-side web skimming.
  • Over the years, Ebury has been deployed to backdoor almost 400,000 Linux, FreeBSD, and OpenBSD servers, and more than 100,000 were still compromised as of late 2023.
  • Researchers uncovered new malware families authored and deployed by the gang for financial gain, including Apache modules and a kernel module to perform web traffic redirection.
  • In many cases, Ebury operators were able to gain full access to large ISPs and well-known hosting providers. They used that access to deploy Ebury on the partial or complete server infrastructure hosted by that provider.
  • Ebury also compromised the infrastructure of other threat actors, including Vidar Stealer and many others, to steal data stolen by those other groups and copycat competing operations to blur attribution attempts.
  • Ebury operators also used zero-day vulnerabilities in administrator software to compromise servers in bulk. The data we obtained confirmed a number of suspected victims, including the compromise of kernel.org from 2009 to 2011.
  • ESET provide a set of tools and indicators to help system administrators determine whether their systems are compromised by Ebury.

Ebury’s Evolution: Adapting to Stay Ahead

The ESET report reveals that Ebury’s operators are constantly evolving their tactics. While some initial efforts were thwarted by law enforcement, the botnet continues to function and adapt. This highlights the importance of staying informed about emerging threats and implementing robust security measures.

The Continuing Cyber Threat: What Can Be Done?

The Ebury case serves as a stark reminder for organizations that rely on Linux servers. Here are some key takeaways:

  • Patch and update regularly: Applying security patches promptly is crucial to address known vulnerabilities that Ebury might exploit.
  • Enforce strong credentials: Implement strong password policies and consider multi-factor authentication to make unauthorized access more difficult.
  • Monitor for suspicious activity: Utilize security tools that can monitor system activity and detect anomalies that might indicate a compromised server.
  • Stay informed: Keep yourself updated on the latest cybersecurity threats and best practices to stay ahead of evolving tactics employed by cybercriminals like the Ebury group.

By following these recommendations, organizations can significantly reduce their risk of falling victim to Ebury and other Linux-based threats.

Ebury’s persistence underscores the need for a multi-pronged approach to cybersecurity. Regular vigilance, robust security practices, and a proactive approach to threat mitigation are all essential to safeguard critical systems and data.

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Previous Article

The OG of Instant Messaging ICQ Shutting Down

Next Article
Malware in security

Analysis of BloodAlchemy Malware: A New Evolution of Deed RAT

Related Posts