Cyber security news for all

More

    New Gafgyt Botnet Variant Exploits Weak SSH Passwords for GPU-Based Cryptocurrency Mining

    Cybersecurity experts have unearthed an evolved strain of the Gafgyt botnet, which is now preying on devices with frail SSH credentials to harness their GPU power for cryptocurrency mining operations.

    This revelation underscores a shift where “the IoT botnet is now targeting more resilient servers within cloud-native frameworks,” as observed by Aqua Security researcher Assaf Morag in a recent analysis.

    Gafgyt (alternatively known as BASHLITE, Lizkebab, and Torlus), which has been operational since 2014, is notorious for capitalizing on weak or default passwords to commandeer devices such as routers, cameras, and digital video recorders (DVRs). Additionally, it can exploit vulnerabilities present in devices from Dasan, Huawei, Realtek, SonicWall, and Zyxel.

    Once infected, these devices are aggregated into a botnet capable of executing distributed denial-of-service (DDoS) attacks against targeted victims. Evidence suggests that Gafgyt and Necro are managed by a threat group identified as Keksec, also known as Kek Security and FreakOut.

    IoT botnets like Gafgyt are in a state of continuous evolution, regularly incorporating new functionalities. Variants detected in 2021, for instance, utilized the TOR network to obscure malicious activities and borrowed modules from the leaked Mirai source code. Notably, Gafgyt’s source code was disseminated online in early 2015, which has catalyzed the development of various new iterations.

    The current attack methodologies involve systematically brute-forcing SSH servers with vulnerable passwords to deploy subsequent payloads that facilitate cryptocurrency mining via “systemd-net.” This occurs only after expunging any competing malware present on the compromised host.

    Moreover, it deploys a worming module—a Go-based SSH scanner dubbed ld-musl-x86—that meticulously scans the internet for inadequately secured servers and propagates the malware to other systems, thereby amplifying the botnet’s reach. This includes SSH, Telnet, and credentials associated with gaming servers and cloud platforms like AWS, Azure, and Hadoop.

    “The cryptominer employed is XMRig, designed for Monero cryptocurrency mining,” Morag explained. “In this instance, the threat actor aims to deploy a cryptominer utilizing the –opencl and –cuda flags to harness GPU and Nvidia GPU computational resources.”

    “This, coupled with the fact that the primary impact of the threat actor is crypto-mining rather than DDoS attacks, reinforces our assertion that this variant is distinct from its predecessors. It is specifically targeting cloud-native environments endowed with potent CPU and GPU capabilities.”

    Data acquired from Shodan indicates there are over 30 million SSH servers accessible to the public, highlighting the critical need for users to fortify their systems against brute-force assaults and potential exploitation.

    Recent Articles

    Related Stories