A professional cybercriminal group has attacked Linux servers by installing rootkits and backdoors on them through a vulnerability in web hosting software.
More specifically, attackers are breaking into Control Web Panel (formerly known as CentOS Web Panel), software that works on the same principle as the more well-known cPanel tool used by web hosting companies and large enterprises to host and manage large-scale server infrastructure.
Since at least February of this year, the cybercriminal group has been scanning the Internet for CWP installations, using an exploit for the old vulnerability, it gains access to the administration panel and installs the Facefish backdoor. Its main purpose is to collect information about a device, execute arbitrary commands, and steal SSH credentials from an infected host.
The attacks, discovered by researchers at Juniper and Qihoo 360, also use a rare rootkit that attackers install on compromised Linux servers to ensure persistence. Nevertheless, despite the large amount of time that has elapsed since the attacks began, virtually no activity has been observed on the compromised servers. For example, the hackers did not install the cryptocurrency miners as one might expect.
According to Juniper experts, the attackers’ goal was to create a botnet, and they intend to sell or rent access to the networks of the compromised companies to those who offer the best price. Since CWP is typically used to manage large and critical networks of servers, access to any such system will be highly valued by cybercriminals, in particular ransomware operators.
Neither Juniper nor Qihoo 360 reported the CVE identifier of the vulnerability in question (it is also unknown if it has any CVE at all), but they did submit their exploits. Enterprise IT professionals using Control Web Panel can analyze exploits and configure appropriate policies in their firewalls to protect against possible cyberattacks.
Catch up on more articles here
Follow us on Twitter here