Xbash Malware Targets Windows and Linux with Ransomware and Cryptomining
Newly identified Xbash malware is targeting weak passwords and unpatched vulnerabilities on Linux and Windows systems to launch ransomware or cryptomining attacks.
Hintergrund
Unit 42, Palo Alto Network’s research team, recently blogged about a new malicious software (malware) family it’s calling Xbash. This newly identified malware targets Linux and Windows systems that have weak passwords and unpatched vulnerabilities.
On Linux systems, Xbash will identify and delete MySQL, MongoDB and PostgreSQL databases and then seek ransom payment from victims. On Windows systems, it will initiate cryptomining and self-propagate. Organizations should be aware Xbash has no functionality to restore the deleted databases, so there is no use in paying the ransom.
Vulnerability details
Xbash targets two unpatched vulnerabilities and one patched vulnerability. The first unpatched vulnerability is an unauthenticated command execution vulnerability in Apache Hadoop YARN, which was first discovered in October 2016 but has no CVE. The second unpatched vulnerability is a remote code execution vulnerability in Redis, which was first discovered in November 2015 and also has no CVE. Lastly, the patched vulnerability, CVE-2016-3088, is an arbitrary file write vulnerability in Apache ActiveMQ.
Urgently required actions
To protect against the Xbash malware, we advise organizations to ensure they’re using strong and unique passwords across the board. Because two vulnerabilities remain unpatched, it is important to identify vulnerable assets and ensure they’re protected by an endpoint security product. As there is a patch available for Apache ActiveMQ, organizations should ensure they’re applying patches regularly. Finally, because Xbash targets and deletes databases, organizations should back up databases regularly and segregate them from other systems on the network.
Identifizieren betroffener Systeme
Tenable has the following plugins available to scan for applications targeted by the Xbash malware family.
|
Plugin ID |
Description |
|
Redis Server Unprotected by Password Authentication |
|
|
Redis Server Detection |
|
|
Apache ActiveMQ 5.x < 5.14.0 ActiveMQ Fileserver web application remote code execution (Xbash) |
|
|
Apache Hadoop YARN ResourceManager Unauthenticated RCE (Remote) |
Get more information:
- Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows
- Cryptocurrency-Mining Malware: 2018’s New Menace?
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Navigating Security Challenges Around OT in the DoD’s Manufacturing Lines
April 15, 2024How operational technology can revolutionize logistics, supply chain management, and overall efficiency.
