NC4-ALR-2024-000006 : Ebury Botnet Infection on Linux Server in Malaysia
Introduction

The National Cyber Coordination and Command Centre (NC4) continuously monitors the cyber security threat level in Malaysia. In collaboration with international law enforcement agencies and the Royal Malaysia Police (PDRM), NC4 has detected substantial activity associated with the Ebury botnet. This advanced malware has infected more than 400,000 Linux servers worldwide since its identification in 2009. This botnet is a cause for concern because it has the ability to gather SSH credentials, facilitate the theft of cryptocurrency, and result in financial gains for the threat actors. NC4 would like to remind System Administrators and Network Administrators to immediately implement adequate cyber security measures to ensure the systems and networks are secured at all times.

Impact

• Unauthorised remote access to compromised servers
• Theft of SSH credentials
• Potential for cryptographic key theft and misuse
• Financial losses due to cryptomining and other unauthorised activities
• Degraded system performance and network bandwidth

Brief Description

The Ebury botnet, also known as “Operation Windigo”, has been active for over a decade, compromising Linux servers by exploiting SSH backdoors. Once installed, Ebury grants attackers persistent access to infected systems, allowing them to steal credentials, redirect web traffic, and monetise compromised servers through various malicious activities. It is also observed that:

  • Over 400,000 Linux servers have been infected since 2009.
  • Ebury malware remains active and largely undetected on many systems.
  • The primary motive behind the botnet’s operations includes credential theft, cryptomining, and generating financial gains through traffic redirection and spam campaigns.

 

According to information provided by an international law enforcement agency, the domain linked to the botnet is no longer active. NC4 has received a list of infected hosts in Malaysia and has conducted an assessment. It has been confirmed that the majority of the infected hosts have been cleaned up. However, NC4 strongly advises all Malaysian organisations to implement essential preventive measures to protect against future attacks.

System Affected

• Linux servers with open, public facing SSH ports
• Systems without robust SSH key management
• Outdated Linux distributions or those lacking recent security patches

Recommendation

Organisations are advised to be vigilant and to take the following actions:

  1. Patch and Update: Ensure all Linux servers are up-to-date with the latest security patches and updates.
  2. SSH Hardening: Implement strong SSH security practices, including the use of key-based authentication and disabling password-based logins.
  3. Credential Management: Regularly rotate SSH keys and monitor for unauthorized key usage.
  4. Network Segmentation: Isolate critical systems from those exposed to the internet or less secure environments.
  5. Monitoring and Logging: Enhance system monitoring and logging to detect unusual activities and potential indicators of compromise.
  6. Incident Response: Develop and maintain an incident response plan tailored to handle Ebury infections and other similar threats.
  7. Reporting: Report any anomalies happening within your network and enterprise environment to NC4.

References

ESET report : Ebury is alive but unseen    https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/

Ebury botnet malware infected 400,000 Linux servers since 2009    https://www.bleepingcomputer.com/news/security/ebury-botnet-malware-infected-400-000-linux-servers-since-2009/

Alert