Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Linux Servers. Show all posts
Palo Alto Networks
Botnet Botnet attack cryptocurrency mining Cyber Attacks Evasion Tactics Linux Linux Malware Linux Security Linux Servers Malware attacks Palo Alto Palo Alto Networks

Palo Alto Detects New Prometei Botnet Attacks Targeting Linux Servers

Cybersecurity analysts from Palo Alto Networks’ Unit 42 have reported a resurgence of the Prometei botnet, now actively targeting Linux systems with new, upgraded variants as of March 2025. Originally discovered in 2020 when it was aimed at Windows machines, Prometei has since expanded its reach. 

Its Linux-based malware strain has been in circulation since late 2020, but recent versions—designated as 3.x and 4.x—demonstrate significant upgrades in their attack capabilities. The latest Prometei malware samples are equipped with remote control functionality, domain generation algorithms (DGA) to ensure connection with attacker-controlled servers, and self-updating systems that help them remain undetected. This renewed activity highlights the botnet’s growing sophistication and persistent threat across global networks. 

At its core, Prometei is designed to secretly mine Monero cryptocurrency, draining the resources of infected devices. However, it also engages in credential harvesting and can download additional malicious software depending on the attacker’s goals. Its modular framework allows individual components to carry out specific tasks, including brute-force attacks, vulnerability exploitation (such as EternalBlue and SMB bugs), mining operations, and data exfiltration. 

The malware is typically delivered via HTTP GET requests from rogue URLs like hxxp://103.41.204[.]104/k.php. Prometei uses 64-bit Linux ELF binaries that extract and execute payloads directly in memory. These binaries also carry embedded configuration data in a JSON format, containing fields such as encryption keys and tracking identifiers, making them harder to analyze and block. 

Once a system is compromised, the malware collects extensive hardware and software information—CPU details, OS version, system uptime—and sends this back to its command-and-control (C2) servers, including addresses like hxxp://152.36.128[.]18/cgi-bin/p.cgi. Thanks to DGA and self-update features, Prometei ensures consistent communication with attacker infrastructure and adapts to security responses on the fly.  

To defend against these threats, Palo Alto Networks advises using advanced detection tools such as Cortex XDR, WildFire, and their Advanced Threat Prevention platform. These technologies utilize real-time analytics and machine learning to identify and contain threats. Organizations facing a breach can also contact Palo Alto’s Unit 42 incident response team for expert help. 

The activity observed from March to April 2025 underlines the continued evolution of the Prometei botnet and the growing risk it poses to businesses relying on Linux environments. Strengthening cybersecurity protocols and remaining alert to new threats is essential in today’s threat landscape.
Read more »
Software
Data Loss GitHub Linux Servers malware Software

Linux Servers Under Attack: Hidden Malware Found in Fake Go Packages

 


Cybersecurity experts have discovered a new attack that targets Linux systems using fake programming tools. These harmful tools were shared on GitHub, a popular website where developers post and download code. Inside these fake packages was dangerous malware designed to completely erase everything on a computer's hard drive.


How the Attack Works

The attackers used a type of programming module written in Go (Golang), a language often used by developers for creating server software. They uploaded three of these modules to GitHub, pretending they were useful tools for developers. However, once someone downloaded one of these modules, it secretly contacted another server and downloaded a harmful script without the user's knowledge.

This script, once running, carried out a destructive command that wipes out all the data on the system’s main storage device. It replaces the existing information with zeroes, which makes the system completely unusable and all files impossible to recover. The attack is aimed directly at Linux computers and servers, and it checks to make sure it is running on a Linux system before carrying out the harmful actions.


What Was Affected

The three fake Go modules uploaded to GitHub had names that made them look like real software. They were:

• github[.]com/truthfulpharm/prototransform

• github[.]com/blankloggia/go-mcp

• github[.]com/steelpoor/tlsproxy

Each of these was designed to look like a normal tool. One claimed to help with data formatting, another with secure communications. Because they seemed helpful, developers could have easily included them in their projects without realizing they were dangerous.


Why This Is a Serious Threat

This type of attack is especially harmful because it wipes the entire system. It doesn't just delete files — it destroys the operating system, settings, and everything else on the main disk. Once this happens, the machine cannot be restarted, and the data cannot be brought back.

Also, since the Go programming environment allows many developers to use similar names for packages, attackers can upload fake versions that look almost like the real thing. This makes it harder for users to tell the difference.


What Can Be Done

Developers should be careful when downloading code or tools from the internet. They should only use software from trusted and verified sources. Before adding a new module to a project, it's important to research it and check whether it comes from a reliable developer.

This attack is a reminder that even trusted platforms like GitHub can be misused, and that one wrong download can lead to total data loss. Staying alert and verifying software before use is the best way to stay safe.

Read more »
Vulnerabilities and Exploits
Android App Safety Apple Bluetooth GitHub Linux Linux Servers macOS Vulnerabilities and Exploits

Bluetooth Security Flaw Strikes Apple, Linux, and Android Devices

Vulnerabilities in the constantly changing technology landscape present serious risks to the safety of our online lives. A significant Bluetooth security weakness that affects Apple, Linux, and Android devices has recently come to light in the cybersecurity community, potentially putting millions of users at risk of hacking.

The flaw, identified as CVE-2023-45866, was first brought to light by security researchers who detected a potential loophole in the Bluetooth communication protocol. The severity of the issue lies in its capability to allow hackers to take control of the targeted devices, potentially leading to unauthorized access, data theft, and even remote manipulation.

Security experts from SkySafe, a renowned cybersecurity firm, delved into the intricacies of the vulnerability and disclosed their findings on GitHub. If successfully employed, the exploit could lead to a myriad of security breaches, prompting urgent attention from device manufacturers and software developers alike.

Apple, a prominent player in the tech industry, was not exempt from the repercussions of this Bluetooth bug. The flaw could potentially enable hackers to hijack Apple devices, raising concerns among millions of iPhone, iPad, and MacBook users. Apple, known for its commitment to user security, has been swift in acknowledging the issue and is actively working on a patch to mitigate the vulnerability.

Linux, an open-source operating system widely used across various platforms, also faced the brunt of this security loophole. With a significant user base relying on Linux for its robustness and versatility, the impact of the Bluetooth flaw extends to diverse systems, emphasizing the urgency of a comprehensive solution.

Android, the dominant mobile operating system, issued a security bulletin addressing the Bluetooth vulnerability. The Android Security Bulletin for December 2023 outlined the potential risks and provided guidance on necessary patches and updates. As the flaw could compromise the security of Android devices, users are strongly advised to implement the recommended measures promptly.

Cybersecurity experts stated, "The discovery of this Bluetooth vulnerability is a stark reminder of the constant vigilance required in the digital age. It underscores the importance of prompt action by manufacturers and users to ensure the security and integrity of personal and sensitive information."

This Bluetooth security issue serves as a grim reminder of the ongoing fight against new cyber threats as the tech world struggles with its implications. In order to strengthen its commitment to a secure digital future, the IT industry is working together with developers, manufacturers, and consumers to quickly identify and fix vulnerabilities.

Read more »
Vulnerabilities and Exploits
Chinese Actors Linux Malware Linux Servers Malicious actor Ransomware Attacks. VMware ESXi Vulnerabilities and Exploits

Qilin Ransomware Strikes VMware ESXi

The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a targeted and advanced strategy that particularly targets virtualized systems.

Qilin, a mythical creature in Chinese folklore, has taken its name seriously in the cyber realm, wreaking havoc on Linux-based systems. The malware, as detailed in reports from leading cybersecurity sources like Bleeping Computer and Linux Security, has honed in on VMware ESXi, a widely used virtualization platform.

The Qilin ransomware has raised concerns due to its ability to compromise the core infrastructure of organizations. VMware ESXi, being a popular choice for virtualization in data centers, has become a prime target. The attackers employ advanced techniques to exploit vulnerabilities in ESXi servers, encrypting critical data and demanding a ransom for its release.

GridinSoft, a cybersecurity company, has provided insights into the modus operandi of Qilin. Their analysis reveals the ransomware's deliberate focus on virtual machines, particularly those hosted on VMware ESXi. The attackers leverage vulnerabilities in ESXi versions, emphasizing the need for organizations to update and patch their systems promptly.

The cybersecurity community is actively collaborating to understand and counter the Qilin threat. As organizations scramble to bolster their defenses, it's crucial to stay informed about the evolving nature of the ransomware landscape. Constant vigilance, regular updates, and a robust backup strategy are imperative to mitigate the risks associated with Qilin and similar cyber threats.

Although the Qilin ransomware is a significant concern, it also highlights the larger problem of how constantly changing cyberthreats are. According to a cybersecurity expert, "attackers are getting more skilled at focusing on critical infrastructure, and the landscape of cyber threats is dynamic.To protect against such harmful operations, cybersecurity measures that are proactive and vigilant are vital."

The Qilin ransomware, which was first discovered to target VMware ESXi, is a clear reminder of how sophisticated cyber threats are getting. To strengthen their defenses against such powerful adversaries, organizations must prioritize cybersecurity procedures, such as patch management, regular upgrades, and reliable backup plans.
Read more »
Ransomware
Bots Cryptominers Digital Infrastructure Firewalls Linux Linux Servers malware Ransom Ransomware

This Linux Malware Bombards Computers with DDoS Bots and Cryptominers

 

Security experts have discovered a new Linux malware downloader that uses cryptocurrency miners and DDoS IRC bots to attack Linux servers with weak security. After the downloader's shell script compiler (SHC) was uploaded to VirusTotal, researchers from ASEC found the attack. It appears that Korean users were the ones who uploaded the SHC, and Korean users are also the targets. 

Additional research has revealed that threat actors target Linux servers with weak security by brute-forcing their way into administrator accounts over SSH. Once inside, they'll either set up a DDoS IRC bot or a cryptocurrency miner. XMRig, arguably the most well-liked cryptocurrency miner among hackers, is the miner that is being used.

It generates Monero, a privacy-focused cryptocurrency whose transactions appear to be impossible to track and whose users are allegedly impossible to identify, using the computing power of a victim's endpoints.

Threat actors can use the DDoS IRC bot to execute commands like TCP Flood, UDP Flood, or HTTP Flood. They can execute port scans, Nmap scans, terminate various processes, clear the logs, and other operations. Malicious deployments are continuously thrown at Linux systems, most frequently ransomware and cryptojacking.

"Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks," ASEC stated in its report. "Administrators should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers."

The continued success of Linux services in the digital infrastructure and cloud industries, as well as the fact that the majority of anti-malware and cybersecurity solutions are concentrated on protecting Windows-based devices, according to a VMware report from February 2022, put Linux in a risky situation.
Read more »
Vulnerabilities and Exploits
Botnet cryptomining Exploited Device Linux Servers Vulnerabilities and Exploits

New Version of 'Sysrv' Botnet is Targeting Windows and Linux Servers

 

Microsoft recently unearthed a new version of the Sysrv botnet, tracked as Sysrv-K, capable of abusing bugs in WordPress and Spring Framework to install crypto-mining malware on vulnerable Windows and Linux servers. The variant has been upgraded with multiple features, including scanning for unpatched WordPress and Spring deployments. 

"The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers" by exploiting various vulnerabilities, the Microsoft Security Intelligence team tweeted. These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins as well as newer vulnerabilities like CVE-2022-22947." 

CVE-2022-22947 (CVSS score of 10) is a code injection critical vulnerability in Spring Cloud Gateway that exposes applications to code injection assaults, allowing unauthenticated, remote attackers to achieve remote code execution. 
 
Sysrv-K scans for WordPress configuration files for their backups, in an attempt to steal database credentials and take over the webserver. Moreover, the botnet packs updated communication capabilities, such as support for Telegram. 

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and hostnames, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” the Microsoft team added. 

The botnet has been active since at least December 2020, but its activity was documented in April 2021 by multiple security researchers. Sysrv-K secures control of web servers by scanning the internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads, and remote code execution. Once the malware runs on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner. 

After killing competing cryptocurrency miners and deploying its own payloads, the botnet auto-spreads over the network via brute force attacks using SSH private keys collected from various locations on infected servers (e.g., bash history, ssh config, and known_hosts files). 

Subsequently, the botnet aggressively scans the Internet for more vulnerable Windows and Linux systems to add to its army of Monero mining bots. To mitigate the risks, organizations are recommended to secure all of their internet-facing systems by installing available security patches in a timely manner and by applying security best practices.
Read more »
malware
Cloud Security HolesWarm Botnet Linux Servers malware

HolesWarm Cryptominer Botnet Targets Unpatched Windows, Linux Servers

Researchers at Tencent have issued a warning regarding a HolesWarm cryptominer malware campaign that has exploited more than 20 known vulnerabilities in Linux and Windows servers. The cryptominer botnet has been so effective in interchanging so many different known vulnerabilities between attacks, making Tencent researchers refer to the malware as the “King of Vulnerability Exploitation.”

HolesWarm has been able to break into more than 1,000 cloud hosts just since June. Tencent warned that both government and enterprise should immediately address known security flaws in order to prevent them from falling prey to the following HolesWarm attack. The cryptominer botnet also provides hackers password information and full access to the victim’s server. 

“As the HolesWarm virus has changed more than 20 attack methods in a relatively short period of time, the number of lost cloud hosts is still on the rise. Tencent security experts recommend that the operation and maintenance personnel of government and enterprise organizations actively repair high-risk vulnerabilities in related network components to avoid servers (becoming) a broiler controlled by hackers.” Tencent researchers said in their Tuesday report. 


HolesWarm targeting known security flaws 

Security analysts at Tencent noticed HolesWarm taking advantage of high-risk flaws in several common office server components, including Apache Tomcat, Jenkins, Shiro, Spring boot, Structs2, UFIDA, Weblogic, XXL-JOB, and Zhiyuan. 

The malware uses compromised systems to mine for Monero cryptocurrency. This sort of thing is only lucrative if there are several devices counting numerous strings of blockchain. Cryptominer malware gains full access to the victim’s system and puts it to work as an aspect of a much more common criminal effort to mine Monero at scale, utilizing anyone else’s assets. According to Tencent researchers, attackers are constantly updating their strategies. 

“By pulling and updating other malicious modules, HolesWarm virus will record the version information in the configuration with the same name text while installing the malicious module,” Tencent said. “When the cloud configuration is newer, it will end the corresponding module process and update automatically.”

According to Dirk Schrader from New Net Technologies, the rapid evolution of cryptominer malware suggests that a hacking group was just getting started with their criminal activities.

“Collecting crypto-money is a necessary step for any cybercrime group to grow and later maintain capabilities, to acquire additional exploits traded in the Dark Web or to use some cybercrime-as-a-service,” Schrader explained.
Read more »
Subscribe to: Posts (Atom)