TapTechNews May 16th report - Security company ESET recently released a report claiming that a prehistoric zombie network virus named Ebury has resurfaced, and the related zombie network virus has been active since 2009, infecting approximately 400,000 Linux hosts.
Researchers analyzed the recent attack actions of this zombie network and found that hackers prefer to target server VPS providers, and then launch a supply chain attack on users who rent virtual machines under the provider.
TapTechNews learned from the report that hackers mainly use leaked databases to invade servers. Once they successfully obtain permissions for the target host, the hackers deploy a series of SSH scripts and try to obtain keys related to VPSs, which are then used to try to invade other servers. In addition, researchers also found that hackers further escalate permissions by using servers that have not promptly fixed software vulnerabilities.
After successfully controlling the victim server, hackers use Address Resolution Protocol (ARP) to redirect SSH traffic from the victim server to the hacker's server, intercepting account passwords when third-party users login to the services provided by the victim server, enabling more password guessing.
Researchers pointed out that they also found that hackers use this zombie network virus to spread other malicious trojans, including HelimodProxy used as a proxy server on the victim server, HelimodRedirect for traffic redirection, HelimodSteal for recording website form content, KernelRedirect for redirecting website users to malicious URLs, and FrizzySteal for intercepting HTTP requests. Based on this, researchers urge server VPS providers to be cautious about virus invasions.