Two days ago, security firm ESET exposed Windigo, a sophisticated malware attack that has hijacked more than 25,000 UNIX servers worldwide since 2011. The hijacked servers are being used as a coordinated criminal effort to send spam, infect web user’s computers by drive-by downloads, and to redirect traffic to ad networks.
What’s interesting about Windigo is that it only used stolen credentials, and didn’t seem to exploit any known vulnerabilities. According to ESET, attackers targeted SSH user credentials to expand their operation and infect additional servers.
The SSH credentials were intercepted at multiple locations at the point of use by each victim, either when the user was logging on to an infected server, or when a compromised server was used to log on to any other system.
Once the attackers gained the credentials, they were able to test their privileged access level and proceed with the attacks accordingly. The ESET research shows that 42 percent of the stolen credentials had root privileges.
Not only would this give the attacker access to the impacted device, but would allow them to deploy additional backdoors while deleting all files and logs of their activity.
We’ve blogged about this multiple times, but this is the latest example of why attackers make privileged and administrative accounts their number one priority when attacking an organization and why exploiting privileged accounts is at the heart of every single advanced attack. These credentials allow attackers to take over an organization’s infrastructure and attack it from the inside.
So far, attackers have taken over more than 25,000 Linux servers worldwide to create a botnet army of more than 32 million. Considering Linux servers are used by more than 60 percent of the world’s websites, this is a potentially very serious problem. The resulting spread could be far broader than initially anticipated.
If you’re a sysadmin or webmaster, you should take this threat seriously. Everyone running Linux servers should check to see if they’ve been infected.
To prevent attacks of this nature, administrative access should always be isolated from target servers or devices, routing all administrative traffic through a jump server, which serves as a single control point to prevent attackers from bypassing privileged account protection. In addition, enforcing the least privilege principle on Linux servers through a unified access control point prevents stolen credentials from being used to run unauthorized privileged commands.
CyberArk works with companies around the globe to prevent exactly these types of attacks. Reach out if you’re concerned there might be an issue in your infrastructure, and we’ll see if we can help.