Cybercriminals targeting Linux servers to infect and launch DDoS attacks says threat advisory

News by Steve Gold

Hackers tapping Linux systems to launch vertical target DDoS attacks

Research just published claims to show that hackers are expanding the reach of their DDoS attacks, targeting and leveraging powerful Linux-based systems to attack Internet-facing servers in the entertainment industry and other vertical sectors.

According to Prolexic's threat advisory, one of the observed attacks - originating from Asia - had a hefty 119 Gbps bandwidth and 110 Mpps in volume terms.

The attacks, says the Akamai division, represent a high risk to servers, since they engineer IptabLes and IptabLex infections on Linux systems.

As a result, the company says that malicious actors can tap the infected Linux systems to launch distributed denial of service (DDoS) attacks against the entertainment industry and other verticals.

Delving into the report reveals that the attackers have used the Linux vulnerabilities on poorly maintained servers to gain access, escalate their privileges to allow remote control of the machine, and then drop malicious code into the system and execute that code.

Thanks to this, says the security company, a system can then be controlled remotely as part of a DDoS botnet swarm.

Detecting and preventing an IptabLes/IptabLex infection on Linux systems, says the advisory, involves patching and hardening Linux servers, as well as adding antivirus detection.

The problem that IT admins face, says the report, is that once the Linux system has been compromised, attackers escalate privileges and infect the system with IptabLes or IptabLex malware. And in order to prevent further infestation and spread of the IptabLes IptabLex botnet, Linux administrators need to identify and apply corrective measures.

Mitigating the threat to Linux systems involves patching and hardening the Linux system, adding antivirus detection to the mix, and cleaning infected systems.

Perhaps more worryingly, Prolexic says that the VirusTotal test platform has reported only 23 out of 54 antivirus engines as currently detecting this threat.

Assumptions of safety

Commenting on the report, Phil Turtle, chief communications officer with the Data Centre Alliance, said that many professionals in the data centre industry have assumed - because their Linux machines have generally only been the recipients of DDoS attacks - that they have been very safe, if not immune, from hacks that result in membership of a botnet swarm.

"These latest successful attacks show that no operating system is safe from attack and that Linux server operators need to review their server estate to ensure that the best infection controls are in place - and the operating system platform is fully patched and up to date," he said.

"We'd recommend that co-location data centre operators - who don't have direct control of the servers in their facilities - make their customers aware of the dangers now facing their servers and suggest that they take the same preventative action," he added.

Over at Check Point, Keith Bird, the security vendor's UK managing director said that DDoS continues to be a key weapon used to target organisations.
"As such, IT teams should have a plan in place to mitigate the impact of attacks, and consider implementing defensive strategies that can include on-premise technologies and cloud-based scrubbing services, as well as fine tuning of gateways and Web servers," he said.

"They can also approach ISPs and work with them to identify mitigation techniques - after all, DDoS attacks use the same Internet routes as ordinary traffic," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews