A new backdoor trojan which has been named as “SpeakUp”was found exploiting the Linux servers that hosts more than 90% of the top 1 million domains in the U.S. The trojan uses several complicated tricks to infect hosts and to propagate. The researchers claim that this could be composed for a major offensive that affects large number of infected hosts worldwide.
The Check Point research released the details of the trojan on Monday at the CPX360 event in Las Vegas. SpeakUp (called so due to its command-and-control domain, SpeakUpOmaha[dot]com) is being used in a cryptomining campaign to target more than 70,000 servers worldwide so far which could be a foundation for a terrifying botnet.
SpeakUp aims at on-premises servers and cloud-based machines like the ones hosted by Amazon Web Services. Besides Linux it can also infect MacOS devices as well.
The head of products vulnerability research for Check Point, Oded Vanunu stated that the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. As these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.
SpeakUp is equipped with a propagation script written in Python. The main functions include brute-forcing administrative panels using a pre-defined list of usernames and passwords; and scanning the network environment of the infected machine.
In order to spread SpeakUp’s propagation code successfully exploits any of the known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).
The obfuscated payloads and propagation technique of SpeakUp clearly shows that it is the beginning of a bigger threat in the making. The attacker behind this campaign can deploy additional intrusive and offensive payloads at any time. It also has the ability to scan the surrounding network of an infected server and distribute the malware.
The identity of the threat actor behind this attack is unknown but it is sure that it might be someone or a group with plenty of malware-authoring chops.