The Chalubo botnet is probing enterprises to exploit weak passwords and vulnerable devices
New research from Sophos Labs has uncovered a new sophisticated botnet that targets enterprise SSH servers with an advanced combination of brute force attack and encrypted components. Once the bot has gained access, it’s designed to wreak havoc in enterprise networks via coordinated denial-of-service disruption. Chalubo is remarkable for aiming techniques usually associated with attacks on Windows servers at Linux environments.
The wizards at Sophos have named this new family of bots they observed, Chalubo, due to the use of the ChaCha stream cipher to encrypt the main bot component and its script.
Chalubo is foremost a brute-force attack on SSH servers. This means a bot tries to guess usernames and passwords. If the target organization has a soft target with a poorly chosen or default password, then the bot gains access. Brute force attacks are common and we find these kinds of attacks constantly in honeypot research.
Chalubo stands out because of what happens after the bot has gained privileged access.
“This bot demonstrates increased complexity compared to the standard Linux bots we typically see delivered from these types of attacks. Not only are the attackers using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware.” Timothy Easton, Sophos Labs
While Windows dominates the OS market overall, Linux is significant for enterprises. W3Techs claims that 70 percent of the top 10 million Alexa domains are powered by Linux servers. More and more cloud servers use Linux. If hackers can get access to private clouds and public clouds, they get closer and closer to critical systems and valuable data. Chalubo shows quite a standard level of sophistication for a Windows attack, but it seems fresh for Linux, and overall targeting Linux servers is getting more popular.
Attacks like Chalubo target poorly configured devices
Brute force attacks are a different approach to the phishing for user clicks that we experience in our own daily digital lives. To bots like the Chalubos if you have a connected server, peripheral or IoT device using weak passwords, you are vulnerable.
After password discovery and infecting the target device with the malicious payload, hackers can easily observe traffic inside the network and identify high value targets. Hackers then use sophisticated command and control (C2) servers to send new scripts and new components to other network nodes. From that one original weak password, hackers can try to plant malware on thousands of machines to ready a DDoS attack or prepare for ransomware or data exfiltration. A nightmare for the enterprise.
How to thwart brute force attacks
Sophos give sage advice on the basic steps to mitigate against this type of brute force attack:
“Since the primary method of this bot infecting systems is through the use of common username and password combinations against SSH servers, we recommend that sysadmins of SSH servers (including embedded devices) change any default passwords on those devices, because the brute force attempts to cycle through common, publicly known default passwords.” Timothy Easton, Sophos Labs
My advice for enterprises and any regulated organization is a little stronger:
“Remove and prohibit password authentication from any services available from the public internet and replace with cryptographic keys and/or multi-factor authentication.”
To mitigate the threat from brute force attacks, all new machines, servers, IoT devices and peripherals must comply with your organization’s policies. Major enterprises in highly regulated industries should already have IT best practice and policies in place that prohibit and prevent devices with weak credentials being added to network infrastructure. Botnets are constantly probing for the weakest link – for the weakest credentials – in your environment.
This is crucial in the era of BYOD and IoT. As Armis highlight, multi-function smart printers, tablets, webcams and audio devices are the kinds of networked peripherals that can slip through the corporate IT net and provide hackers with an easy way in. Of course, it’s also vital to patch:
“Keep all software updated wherever possible. It’s one reason I believe in centralized solutions and no agents on endpoints. The goal has to be to reduce the risk from unpatched vulnerabilities.”
Enterprise readiness in the face of sophisticated botnets
Organizations that are totally dependent on data flow, such as finance and tech, and those with thousands or millions of IoT devices and machine-to-machine connections, typically already use SSH Keys to grant access. However, when we assess such environments, we typically find unmanaged keys and poorly managed keys, and the need for key lifecycle management to gain compliance and pass security audits.
In industries without laser sharp focus on privileged access compliance, and in Small-to-Medium Sized Enterprises (SMEs), we find legacy ad hoc solutions to the day-to-day business of granting privileged access: default passwords for root access, spreadsheets of root keys, self-provisioning, and limited policy compliance, or no policies at all. For SMEs with more modest needs e.g. hundreds of servers and dozens of users in R&D and DevOps, I advocate a unified and totally credentialess approach to provisioning access.
...and a gentle reminder:
Don’t let IoT devices, BYOx and peripherals slip through the net
If you want to talk more about taking credentials out of the enterprise risk equation, please get in touch.
Markku
PS. For a chance to quiz whitehat Sabu and discuss the latest threats, check out our exclusive CyberWatch after work event in NYC on November 7...
Markku Rossi
Markku Rossi is CTO and responsible for R&D at SSH.COM. Markku was with SSH from 1998-2005 as a Chief Engineer and was a major contributor to the SSH software architecture. Prior to rejoining the company in 2015, he co-founded several companies such as Codento and ShopAdvisor, and served as CTO at Navicore and as...