Ebury Botnet Bonanza: 400K Linux Servers Hacked for Cash Cow Chaos!

Ebury botnet, a pesky malware VIP, has RSVP’d uninvited to 400,000 Linux servers’ parties, still chilling on 100K of them. ESET’s scoop? It’s a financial fiesta of spam, crypto heists, and credit card skimming. Remember, no server is safe from this gatecrasher!

Hot Take:

Move over zombies, here come the Linux servers! Ebury’s been playing the long game, quietly amassing an army of servers for over a decade – and no, they’re not just mining Bitcoin or retweeting your favorite cat memes. They’re out there hustling like a Silicon Valley startup, diversifying their portfolio with spam, skimming, and crypto heists. It’s like the Swiss Army knife of malware, only less handy and more ‘give me all your money’. And let’s not forget, these guys are real masters of disguise, using stolen identities like they’re trying on Halloween costumes. Trick or treat? Definitely trick.

Key Points:

  • Ebury botnet has been compromising Linux servers since 2009, with over 100,000 still infected.
  • Maxim Senakh, one of the botnet’s masterminds, got a slap on the wrist with nearly four years in the clink.
  • ESET’s sleuths discovered Ebury’s bag of tricks includes SSH credential theft, exploiting hosting providers, and even snatching malware from other crooks.
  • This malware all-star team includes HelimodSteal and KernelRedirect, which help with credit card skimming and ad redirection (because who doesn’t love surprise ads?).
  • HTTPS encryption won’t save you here; Ebury’s got a backstage pass to servers, stealing credit card data right from the source.
Cve id: CVE-2021-45467
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 12/26/2022
Cve description: In CWP (aka Control Web Panel or CentOS Web Panel) before, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.

Need to know more?

Malware's Most Wanted

ESET's deep dive into Ebury is like a true-crime podcast for cybersecurity nerds. They've been tracking this botnet's shenanigans for years, and it’s a saga of cybercrime that would make even Ocean's Eleven blush. We're talking about high-stakes heists with a side of spam – because nothing says 'I'm stealing your data' quite like a side of unsolicited email offers.

The Rise and Fall of a Cybercriminal

Picture this: Maxim Senakh, living his best cybercriminal life, aiding and abetting Ebury to rake in those illicit millions. But alas, in the tradition of all great crime stories, he gets nabbed and sentenced to a stay at the gray-bar hotel. He probably had to trade in his keyboard for a harmonica.

The Art of Server Side Deception

It's like Ebury's operators are playing a game of cyber chess, and they're grandmasters. They’re not just phishing for your SSH credentials; they’re out there manipulating web hosting providers and exploiting vulnerabilities like they're collecting stamps. This botnet is like the ultimate puppeteer, pulling the strings on servers across the globe.

A Cyber Swiss Army Knife

Imagine a Swiss Army knife, but instead of a tiny pair of scissors and a barely usable saw, you've got HelimodSteal and HelimodRedirect. These tools aren't for cutting rope; they're for slicing through your security and redirecting traffic to ad land. And then there's KernelRedirect, which is like that one friend who always changes plans at the last minute, except it's redirecting your HTTP traffic.

The Unseen Skimmer

Think your credit card information is safe behind that comforting green padlock of HTTPS encryption? Think again. Ebury's like a magician that doesn’t need to distract you with a puff of smoke – it goes straight for the card up your sleeve, or in this case, the credit card info from your server.

So there you have it, folks. Ebury's been on a world tour, and instead of selling concert tees, they're peddling a mixtape of malware hits, with tracks featuring spam, skimming, and a whole lot of stolen data. Now that's a chart-topper no one wants to be featured on.

Tags: Control Web Panel vulnerabilities, Ebury botnet, Linux Server Security, Maxim Senakh, Operation Windigo, Server-side web skimming, SSH credential theft