DreamBus botnet targets enterprise apps running on Linux servers

by | Jan 26, 2021

DreamBus botnet linux

Post Views: 570

style="display:block" data-ad-client="ca-pub-6620833063853657" data-ad-slot="8337846400" data-ad-format="auto" data-full-width-responsive="true">
 
 
 

 

 

Reading Time: 1 Minute

 

 

DreamBus botnet uses exploits and brute-force to target PostgreSQL, Redis, SaltStack, Hadoop, Spark, and others.

 

 

 

 
  

 

 

Chances are that if you deploy a Linux server online these days and you leave even the tiniest weakness exposed, a cybercrime group will ensnare it as part of its botnet.

The latest of these threats is named DreamBus.

Analyzed in a report published last week by security firm Zscaler, the company said this new threat is a variant of an older botnet named SystemdMiner, first seen in early 2019.

But current DreamBus versions have received several improvements compared to initial SystemdMiner sightings [123].

Currently, the botnet targets enterprise-level apps that run on Linux systems. Targets include a wide collection of apps, such as PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service.

 

 
See Also: Hacker leaks data of 2.28 million dating site users

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

Some of these apps are targeted with brute-force attacks against their default administrator usernames, others with malicious commands sent to exposed API endpoints, or via exploits for older vulnerabilities.

The idea is to give the DreamBus gang a foothold on a Linux server where they could later download and install an open-source app that mines the Monero (XMR) cryptocurrency to generate profits for the attackers.

Furthermore, each of the infected servers is also used as a bot in the DreamBus operation to launch further brute-force attacks against other possible targets.

Zscaler also said that DreamBus employed quite a few measures to prevent easy detection. One of them was that all systems infected with the malware communicated with the botnet’s command and control (C&C) server via the new DNS-over-HTTPS (DoH) protocol. DoH-capable malware is very rare, as it’s complex to set up.

 

See Also: Offensive Security Tool: Shad0w

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

 

 

Furthermore, to prevent the C&C server from being taken down, the DreamBus gang hosted it on the Tor network; via a .onion address.

But despite all these protective measures, Zscaler’s Brett Stone-Gross believes we’re seeing yet another botnet birthed and operated out of Russia, or Eastern Europe.

“Updates and new commands are issued that typically start around 6:00 a.m. UTC or 9:00 a.m. Moscow Standard Time (MSK) and end approximately at 3:00 p.m. UTC or 6:00 p.m. MSK,” the researcher said.

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

See Also:SolarWinds Supply Chain Hack – The hack that shone a light on the gaps in the cybersecurity of governments and big companies

 

 

But Stone-Gross also warned companies not to take this botnet lightly. Sure, the botnet delivers a cryptocurrency miner right now, but the Zscaler researcher believes operators could easily pivot to more dangerous payloads, such as ransomware, at any time they wanted.

 

 

 

Source: www.zdnet.com

 

 
(Click Link)

 

 

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This