Friend
Professional
- Messages
- 2,653
- Reaction score
- 849
- Points
- 113
The new version of the botnet changes the paradigm from DDoS attacks to mining.
Aqua Security specialists have discovered a new variation of the Gafgyt botnet, which actively attacks servers with weak SSH passwords running in cloud environments. The malware uses the processing power of the hacked devices GPUs to mine cryptocurrencies.
The Gafgyt botnet (BASHLITE, Lizkebab, Torlus) has been active since 2014 and has become famous for its ability to exploit weak or default passwords to gain control over routers, cameras,and DVRs. Gafgyt's arsenal also includes tools to exploit known vulnerabilities in Dasan, Huawei, Realtek, SonicWall, and Zyxel devices. Captured devices are turned into part of a botnet capable of organizing DDoS attacks.
The new version of the Gafgyt botnet uses brute force to hack SSH servers with weak passwords, and then launches cryptocurrency miners using the "systemd-net" module. Before doing so, the botnet shuts down competing malware programs already running on the compromised machine in order to monopolize the system's resources.
In addition, Gafgyt uses a worm written in the Go language that scans the Internet for poorly protected servers and infects them, thereby expanding the scope of the botnet. The worm scans SSH, Telnet, and credentials associated with game servers and AWS, Azure, and Hadoop cloud environments.
The main goal of the attackers is to launch the XMRig miner, which produces the Monero cryptocurrency. In this case, attackers use the --opencl and --cuda flags to use the GPU's processing power.
The new version of the botnet differs from the previous ones and is aimed at cloud environments with powerful CPUs and GPUs, instead of focusing on DDoS attacks. According to Shodan, there are more than 30 million SSH servers available on the Internet, which underlines the need to take measures to protect against brute-force attacks and possible hacking.
It is noteworthy that after the outbreak of the pandemic, in the period from December 14 to December 31, 2020, experts identified a total of 18,000 unique hosts and about 900 unique payloads. The most common infections were caused by the Gafgyt and Mirai malware families, which accounted for 97% of the 900 payloads.
Source
Aqua Security specialists have discovered a new variation of the Gafgyt botnet, which actively attacks servers with weak SSH passwords running in cloud environments. The malware uses the processing power of the hacked devices GPUs to mine cryptocurrencies.
The Gafgyt botnet (BASHLITE, Lizkebab, Torlus) has been active since 2014 and has become famous for its ability to exploit weak or default passwords to gain control over routers, cameras,and DVRs. Gafgyt's arsenal also includes tools to exploit known vulnerabilities in Dasan, Huawei, Realtek, SonicWall, and Zyxel devices. Captured devices are turned into part of a botnet capable of organizing DDoS attacks.
The new version of the Gafgyt botnet uses brute force to hack SSH servers with weak passwords, and then launches cryptocurrency miners using the "systemd-net" module. Before doing so, the botnet shuts down competing malware programs already running on the compromised machine in order to monopolize the system's resources.
In addition, Gafgyt uses a worm written in the Go language that scans the Internet for poorly protected servers and infects them, thereby expanding the scope of the botnet. The worm scans SSH, Telnet, and credentials associated with game servers and AWS, Azure, and Hadoop cloud environments.
The main goal of the attackers is to launch the XMRig miner, which produces the Monero cryptocurrency. In this case, attackers use the --opencl and --cuda flags to use the GPU's processing power.
The new version of the botnet differs from the previous ones and is aimed at cloud environments with powerful CPUs and GPUs, instead of focusing on DDoS attacks. According to Shodan, there are more than 30 million SSH servers available on the Internet, which underlines the need to take measures to protect against brute-force attacks and possible hacking.
It is noteworthy that after the outbreak of the pandemic, in the period from December 14 to December 31, 2020, experts identified a total of 18,000 unique hosts and about 900 unique payloads. The most common infections were caused by the Gafgyt and Mirai malware families, which accounted for 97% of the 900 payloads.
Source
