Xbash Malware Targets Windows and Linux with Ransomware and Cryptomining
Newly identified Xbash malware is targeting weak passwords and unpatched vulnerabilities on Linux and Windows systems to launch ransomware or cryptomining attacks.
Contexte
Unit 42, Palo Alto Network’s research team, recently blogged about a new malicious software (malware) family it’s calling Xbash. This newly identified malware targets Linux and Windows systems that have weak passwords and unpatched vulnerabilities.
On Linux systems, Xbash will identify and delete MySQL, MongoDB and PostgreSQL databases and then seek ransom payment from victims. On Windows systems, it will initiate cryptomining and self-propagate. Organizations should be aware Xbash has no functionality to restore the deleted databases, so there is no use in paying the ransom.
Vulnerability details
Xbash targets two unpatched vulnerabilities and one patched vulnerability. The first unpatched vulnerability is an unauthenticated command execution vulnerability in Apache Hadoop YARN, which was first discovered in October 2016 but has no CVE. The second unpatched vulnerability is a remote code execution vulnerability in Redis, which was first discovered in November 2015 and also has no CVE. Lastly, the patched vulnerability, CVE-2016-3088, is an arbitrary file write vulnerability in Apache ActiveMQ.
Urgently required actions
To protect against the Xbash malware, we advise organizations to ensure they’re using strong and unique passwords across the board. Because two vulnerabilities remain unpatched, it is important to identify vulnerable assets and ensure they’re protected by an endpoint security product. As there is a patch available for Apache ActiveMQ, organizations should ensure they’re applying patches regularly. Finally, because Xbash targets and deletes databases, organizations should back up databases regularly and segregate them from other systems on the network.
Identification des systèmes affectés
Tenable has the following plugins available to scan for applications targeted by the Xbash malware family.
|
Plugin ID |
Description |
|
Redis Server Unprotected by Password Authentication |
|
|
Redis Server Detection |
|
|
Apache ActiveMQ 5.x < 5.14.0 ActiveMQ Fileserver web application remote code execution (Xbash) |
|
|
Apache Hadoop YARN ResourceManager Unauthenticated RCE (Remote) |
Get more information:
- Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows
- Cryptocurrency-Mining Malware: 2018’s New Menace?
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Articles connexes
Cybersecurity Snapshot: CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills
July 12, 2024Check out CISA’s call for weeding out preventable OS command injection vulnerabilities. Plus, the Linux Foundation and OpenSSF spotlight the lack of cybersecurity expertise among SW developers. Meanwhile, GenAI deployments have tech leaders worried about data privacy and data security. And get the latest on FedRAMP, APT40 and AI-powered misinformation!
How Risk-based Vulnerability Management Boosts Your Modern IT Environment's Security Posture
July 11, 2024Vulnerability assessments and vulnerability management sound similar – but they’re not. As a new Enterprise Strategy Group white paper explains, it’s key to understand their differences and to shift from ad-hoc vulnerability assessments to continuous, risk-based vulnerability management (RBVM). Read on to check out highlights from this Tenable-commissioned study and learn how RBVM helps organizations attain a solid security and risk posture in hybrid, complex and multi-cloud environments.
Microsoft’s July 2024 Patch Tuesday Addresses 138 CVEs (CVE-2024-38080, CVE-2024-38112)
July 9, 2024Microsoft addresses 138 CVEs in its July 2024 Patch Tuesday release, with five critical vulnerabilities and three zero-day vulnerabilities, two of which were exploited in the wild.
