The newly discovered backdoor trojan ‘SpeakUp’ infects Linux and MacOS systems

  • The new Backdoor trojan ‘SpeakUp’ exploits known vulnerabilities in six different Linux systems and even in MacOS.
  • The malware campaign distributing SpeakUp trojan targets servers in East Asia and Latin America, including AWS hosted machines.

Researchers spotted a new malware campaign distributing a backdoor trojan named ‘SpeakUp’ which exploits known vulnerabilities in six different Linux systems. This malware campaign targets servers in East Asia and Latin America, including AWS hosted machines. Researchers noted that this campaign also manages to evade all antivirus solutions.

Researchers from Check Point suspect a malware author under the name Zettabit to be behind the new campaign as they detected similarities between SpeakUp backdoor trojan and Zettabit’s previous work.

SpeakUp targets Linux servers via ThinkPHP RCE vulnerability

Check Point researchers noted that this malware campaign targets Linux servers using the ThinkPHP remote code execution vulnerability (CVE-2018-20062 ) as an initial infection vector. SpeakUp backdoor leverages this vulnerability and uses command injection techniques to upload a PHP shell that executes a Perl backdoor.

Once the SpeakUp trojan successfully gains a foothold on a Linux server, it will immediately signal its C2server that a newly infected host is online and send registration information to be added to the network of compromised machines the attackers can control remotely. Attackers can use it to gain boot persistence, run shell commands, execute files downloaded from a remote C2 server, etc.

Researchers noted that the second payload was encoded with salted base64 and the communication between the infected server and C2 server was also encoded with salted base64.

Seven Remote Code Execution Vulnerabilities

Researchers also noted that this SpeakUp trojan comes with built-in Python script that the trojan uses for propagation. This Python script allows SpeakUp to scan local networks and infect more Linux servers.

SpeakUp does this by scanning for open ports, attempting brute-force attacks to log in to Admin panels, and exploiting one of seven RCE vulnerabilities such as,

  • CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities.
  • CVE-2010-1871: JBoss Seam Framework remote code execution
  • JBoss AS 3/4/5/6: Remote Command Execution
  • CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
  • CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
  • Hadoop YARN ResourceManager – Command Execution
  • CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.

SpeakUp’s victim distribution

Check Point’s ‘SpeakUp victim distribution’ map revealed that SpeakUp victims are primarily located in Asia and South America.

“The infections in non-Chinese countries comes from SpeakUp using its second-stage exploits to infect companies’ internal networks, which resulted in the trojan spreading outside the normal geographical area of a Chinese-only PHP framework,” Lotem Finkelstein, a researcher at Check Point told ZDNet.

This campaign has made 107 Monero coins

Researchers reported that the attackers behind this malware campaign have been using the SpeakUp trojan to deploy Monero cryptocurrency miners on infected servers and have made roughly 107 Monero coins which is around $4,500.

“At the moment SpeakUp serves XMRig miners to its listening infected servers. According to XMRHunter, the wallets hold a total of ~107 Monero coins,” Check Point researchers said.

“The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware. This campaign, while still relatively new, can evolve into something bigger and potentially more harmful,” researchers concluded.

Top WordPress attacks: Insight into major attacks that involved compromise of WordPress sites

WordPress is the most popular content management system which is based on PHP and MySQL. A recent study revealed that WordPress-associated vulnerabilities have seen a 30% increase in 2018 when compared to the previous year. The number of vulnerabilities related to WordPress recorded in 2018 was 542.

Moreover, most of these vulnerabilities, almost 98% were related to WordPress plugins and only 2% of the vulnerabilities were found in the WordPress code. A vulnerability in WordPress plugin could allow attackers to access thousands of sites. The plugin architecture is the major reason people choose WordPress, however, out-of-date plugins are an excellent bait for attackers to compromise WordPress sites.

In this blog, we will be highlighting some of the massive attacks that involved compromise of WordPress sites.

#1. Over 1.5 million WordPress sites were hacked due to a critical vulnerability

A critical vulnerability was detected in the WordPress version 4.7.2. The developers of CMS reported the zero-day vulnerability in WordPress and patched three vulnerabilities including SQL injection, cross-site scripting, and access control bug.

However, one week later, the CMS developers reported that WordPress account had been hacked as the vulnerability was not patched in many sites. This allowed attackers to exploit the vulnerability and modify the content of any page or post on a targeted site.

The vulnerability was exploited to carry out four different defacement campaigns.

  • The first campaign exploiting this vulnerability hacked WordPress sites within 48 hours after disclosure.
  • In the second campaign, attackers exploited this vulnerability to modify the content of over 60,000 web pages and replaced them with ‘hackedby’ messages.
  • The other campaigns hacked nearly 1000 WordPress pages.

Apart from defacement campaigns, researchers also spotted SEO spam campaigns leveraging this WordPress vulnerability. Overall, researchers revealed that 1.5 million WordPress sites were hacked.

#2. WordPress plugin used to hack more than 200,000 websites

A WordPress Plugin named ‘Display Widgets’ has been used to install a backdoor on WordPress sites. The WordPress team removed the ‘Display Widgets’ plugin from the Official WordPress Plugins repository. However, the plugin was installed on more than 200,000 sites.

The plugin has been removed from Official WordPress Plugins repository four times.

  • The first version of the plugin v2.6.0 broke WordPress plugin rules by downloading over 38MB code from a third-party server. The 38 MB code contained tracking features that logged traffic on websites using this version. The extra code collected data such as user IP addresses, user strings, the domain where the data was collected, and the page the user was viewing and sent this collected information to the third-party server. The plugin was removed from the repository for the aforementioned reasons.
  • The second version v2.6.1 integrated the 38MB file inside the plugin to avoid downloading files from third-party servers and avoid breaking WordPress plugin rules. However, this version contained a backdoor that allowed the plugin’s owner to connect to remote sites and create new pages or posts. This version was removed from the repository.
  • The third version v2.6.2 created new pages where it inserted spammy links to other sites. Moreover, the plugin also hid these spammy pages from logged in users. The plugin was removed for the third time.
  • The fourth version v2.6.3 was also malicious and was removed from the repository as it inserted spammy links into other sites.

#3. Brute-force attack targets over 190,000 WordPress sites/hour

In December 2017, a massive brute-force attack campaign targeted WordPress sites with Monero miners. The attackers brute-forced WordPress admin account logins to install a Monero miner on compromised sites. The WordPress security firm Wordfence stated that this was the biggest brute-force attack the company was forced to mitigate since its birth in 2012.

The brute-force attacks peaked at 14.1 million requests per hour. Brute-force requests originated from over 10,000 unique IP addresses and targeted around 190,000 WordPress sites per hour. In this Brute-force campaign, the attackers earned over $100,000 worth of Monero.

#4. United Nation WordPress site exposed over thousands of resumes online

The United Nations WordPress website that contained resumes of job applicants since 2012 was breached compromising thousands of resumes. The breach was caused by two vulnerabilities that were discovered in one of the UN’s WordPress websites. The two vulnerabilities included a path disclosure vulnerability and an information disclosure vulnerability. These vulnerabilities could have allowed attackers to gain access to the directory index that documented the job applications by conducting Man-in-the-Middle (MITM) attacks.