Researchers from ESET have published a 43-page report analyzing the Ebury rootkit and related activity. They claim Ebury has been in use since 2009 and has since been installed on over 400 servers running Linux and several hundred systems based on FreeBSD, OpenBSD, and Solaris. Approximately 110 servers remained infected with Ebury as of the end of 2023. The study is particularly interesting given that Ebury was used in the kernel.org attack, revealing some new details about the compromise of kernel development infrastructure. Linux, discovered in 2011. Ebury has also been found on domain registrar servers, crypto exchanges, Tor exit nodes, and several hosting providers, whose names are not given.
It was initially assumed that the attackers servers The kernel.org attackers remained undetected for 17 days, but according to ESET, this period was calculated from the moment the Phalanx rootkit was implanted. The Ebury backdoor had been present on the servers since 2009 and could have been used to gain root access for approximately two years. The Ebury and Phalanx malware were installed in separate, distinct attacks carried out by different attacker groups. The Ebury backdoor affected at least four servers in the kernel.org infrastructure, two of which were compromised approximately two years later, and the other two within six months.
The attackers gained access to the password hashes of 551 users stored in /etc/shadow, including all kernel maintainers (the accounts were used to access Git; after the incident, the passwords were changed, and the access model was revised to use digital signatures). For 257 users, the attackers were able to determine cleartext passwords, presumably by guessing passwords using hashes and by intercepting passwords used in SSH by the malicious Ebury component.
The malicious component Ebury was distributed as a shared library, which, once installed, intercepted functions used in OpenSSH to establish a remote connection to a system with root rights. The attack was not targeted and, like thousands of other hosts affected, kernel.org servers were used as part of a botnet to send spam, steal credentials for distribution on other systems, redirect web traffic and perform other malicious activities.
To penetrate the servers, unpatched vulnerabilities in server software were used, for example, vulnerabilities in hosting panels, or intercepted passwords (it is assumed that the kernel.org servers were hacked as a result of compromising the password of one of the users who had shell access). Vulnerabilities such as Dirty COW were used to escalate privileges.
New versions of Ebury used in recent years, in addition to the backdoor, included such features as modules for Apache httpd for proxying traffic, redirecting users and intercepting confidential information, a kernel module for making changes to transit HTTP traffic, tools for hiding your own traffic from firewalls , scripts for conducting AitM attacks (Adversary-in-the-Middle, bidirectional MiTM) to intercept SSH credentials in hosting provider networks.

Source: opennet.ru
