A new variant of the Gafgy botnet has recently been discovered by cybersecurity researchers. As per media reports, the botnet appears to be machines with weak SSH passwords for mining crypto. In this article, we’ll dive into the details of the Gafgyt botnet and learn more about the attacks. Let’s begin!

The Gafgyt Botnet Uncovered

The Gafgyt botnet, also known as BASHLITE, Lizkebab, and Torlus, has been used in attacks since 2014. Ever since its inception, the botnet has had a history of exploiting weak credentials or those that have been set by default.

The exploited credentials allow the device to gain control of multiple devices, including routers, cameras, and digital video recorders (DVRs). Apart from credential exploiting, the Gafgyt botnet is also capable of using security flaws in Dasan, Huawei, Realtek, SonicWall, and Zyxel to carry out its malicious intentions.

IoT Botnet Targeting Cloud Native Environments

Providing further details about the botnet’s targeting, Assaf Morag, Aqua security researcher, has stated that:

“IoT botnet is targeting more robust servers running on cloud-native environments.”

Reports claim that the infected devices are put together and are capable of launching distributed denial-of-service (DDOS) attacks. Apart from this connection, between the Gafgyt botnet and a threat actor group called Keksec has also been made.

It’s worth mentioning here that such botnets are constantly evolving by adding new features and are using the Tor network to hide their online malicious activity. In addition, the emergence of newer variants of the Gafgyt botnet stems from its source code being leaked online in 2015

Latest SHH Attack Chain

The latest attacks launched using the Gafgyt botnet involve the use of brute-forcing SSH servers with weak passwords. Such attack tactics enable threat actors to deploy next-stage payloads that facilitate crypto mining using “systemd-net.” However, prior to the initiation of the mining, the competing malware already running on the compromised host is terminated.

Apart from this, the attack chain also includes the use of a worming module, ID-musl-x86. The module is used for scanning the internet for servers with vulnerable security. It also aids in the propagation of the malware to other devices. Shedding light on the crypto miner used in the attacks, Morag has stated that:

“The cryptominer in use is XMRig, a Monero cryptocurrency miner. However, in this case, the threat actor is seeking to run a cryptominer using the –opencl and –cuda flags, which leverage GPU and Nvidia GPU computational power. This, combined with the fact that the threat actor’s primary impact is crypto-mining rather than DDoS attacks, supports our claim that this variant differs from previous ones. It is aimed at targeting cloud-native environments with strong CPU and GPU capabilities.”

In addition, media reports have shown that there are over 30 million SSH servers that are publicly accessible. This makes it essential for users to deploy protection measures against brute-force attacks.

Conclusion

The Gafgyt botnet continues to evolve, now exploiting weak SSH passwords for crypto mining in cloud-native environments. With over 30 million vulnerable SSH servers, it’s crucial for organizations to deploy robust security measures, prevent unauthorized access, and protect their infrastructure from such advanced and persistent threats.

The sources for this piece include articles in The Hacker News and VPN Ranks.

The post Gafgyt Botnet: Weak SSH Passwords Targeted For GPU Mining appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/gafgyt-botnet-weak-ssh-passwords-targeted-for-gpu-mining/