The 15-year-old Ebury Botnet Compromised 400,000 Linux Servers

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Ebury Botnet Malware

Since 2009, around 400,000 Linux servers have been compromised by a malware botnet known as Ebury; as of late 2023, over 100,000 servers remained hacked.

Over the previous 15 years, the malware has infected at least 400,000 Linux servers, according to researchers with the cybersecurity company ESET. As of late last year, roughly 100,000 systems remained compromised.

According to the researchers, the actors behind “one of the most advanced server-side malware campaigns” are still at work, expanding the infection’s end goals, strategies, and targets.

According to Marc-Etienne M. Léveillé, senior malware researcher at ESET, who spent more than ten years researching Ebury, this advancement resulted in a highly potent and challenging to-stop malware.

Ebury was initially identified in 2014 with 25,000 compromised systems, and according to an ESET investigation, it endured takedown attempts and the developer’s penalty.

New servers are being compromised regularly, while some are being cleaned up or deactivated. It is hard to figure out the extent of the botnet at any given time because the data we have access to doesn’t show when the attackers lost access to the systems.

– states ESET

What exactly is the Ebury Botnet?

Since at least 2009, Ebury has been running as a malicious entity. It has produced a credential stealer and an OpenSSH backdoor that employ a bot network (botnet) to distribute several malware strains simultaneously.

The main target of the group is hosting providers. The Ebury botnet, Linux, FreeBSD, and OpenBSD servers can be compromised to implement web traffic redirection modules, use spam proxies, or launch adversary-in-the-middle attacks (AitM).

A white paper about Operation Windigo, a vicious effort that combined several malware families with the Ebury malware family at its center, was released by ESET in 2014.

Marc-Etienne M. Léveillé, observed the following: “We have documented cases where the Ebury actors could compromise thousands of servers at once.” Ebury knows no geographical bounds; compromised servers exist in nearly every nation. Numerous infected servers in the same data centers resulted from the hacking of a hosting provider.

In 2023, Ebury Set a New Record

As observed by the Ebury group’s notable rise in activity in 2023 over 2021, these changes in the group’s infection and monetization strategies appear to be paying off.

The ESET researchers stated, “The offenders keep track of the systems they compromise, and we used that data to draw a timeline of the number of new servers added to the botnet each month.”

The group’s activity in August 2023 broke previous records, with over 6000 hacked servers being identified in that month.

Since 2009, Ebury has infiltrated over 400,000 systems, and as of late 2023, over 100,000 servers remained infected.

Ebury’s Most Recent Strategies

Ebury has been encountered implementing adversary-in-the-middle attacks, attacking vulnerabilities such as CVE-2021-45467 and Dirty COW, and credential stuffing.

Ebury’s operators use a variety of strategies to make money, such as using malware such as HelimodSteal and HelimodRedirect. Still, more lately, they have turned to other things like credit card data theft and cryptocurrency.

According to recent Ebury attacks, the operators prefer to hack hosting providers and launch supply chain attacks against customers who rent virtual servers from the compromised provider.

Credential stuffing attacks implement the initial compromise, wherein compromised credentials are used to get into the servers.

The malware attempts to access other systems by stealing SSH authentication keys and exfiltrating a list of inbound and outbound SSH connections from wtmp and the known_hosts file after compromising a server.

Two million or more of the 4.8 million known_hosts entries Ebury operators collected had their hostname hashed. Among the hashed hostnames, 800,000 or 40% were guesses or brute forced.”

Furthermore, the attackers might use existing vulnerabilities in the servers’ software to increase their level of access or escalate their privileges.

Ebury can be deployed across several virtual environments or containers by utilizing the architecture of the hosting provider, such as OpenVZ or container hosts.

Using Address Resolution Protocol (ARP) spoofing to divert traffic to a server they control, the virus operators use the following phase to intercept SSH communication on the targeted servers within those data centers.

Ebury gets the login information when a user uses SSH to access a compromised server.

When Bitcoin wallets are hosted on servers, Ebury automatically empties them using the collected crtheyehaveals.

ESET claims that during 2023, Ebury used this technique to target at least 200 servers, including nodes for Ethereum and Bitcoin.

According to ESET, new domain generation algorithm (DGA) systems and obfuscation techniques were introduced in late 2023, enabling the botnet to avoid detection and become more resilient against blocks.

“Ebury presents a significant risk and difficulty for the Linux security community. While there isn’t an easy remedy that would render Ebury unsuccessful, a few mitigations can be used to minimize its impact and spread.

It’s important to understand that it only happens to people or organizations that give more thought to security. Large organizations and a great deal of tech-savvy people are on the list of victims,”- Léveillé adds.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.