ESET Red-Flags Operation Windigo, Which Is Targeting Linux, Unix Servers


An ongoing attack campaign has compromised more than 25,000 Linux and Unix servers over the past two years with the goal of setting up spam runs, stealing account credentials and conducting other attacks, according to new research issued Tuesday by antivirus vendor ESET.  

Called Windigo, the malicious group behind the attacks likely has been operating since 2011. Once a Linux or Unix server is infected, the automated attack tool the group uses provides a way to establish back-door access, enabling cybercriminals to gain full control of an infected system. With approximately 60 percent of the world's websites running on Linux Web application servers, attackers reap the benefits of gaining access to them, ESET said. They can set up drive-by attacks, redirecting website visitors to malicious sites, conducting click fraud campaigns or sending out spam campaigns.

"One extraordinary characteristic of this operation is the sheer number of infected servers supporting the above-mentioned malicious activities," ESET said in its report (.pdf). "In other words, there are two kinds of victims here: Windows end users visiting legitimate websites hosted on compromised servers, and Linux/Unix server operators whose servers were compromised through the large server-side credential-stealing network."

[Related: Cybercriminals Are Picking On U.S. Cloud Hosting Providers]

Solution providers told CRN they have been advising clients, especially those that provide hosting services, to check their systems for potential compromises. The attackers don't exploit a vulnerability to gain access to the servers -- they either brute-force their way into servers protected by weak or default passwords or they steal credentials. ESET is warning systems administrators to check for compromises by running a script that can detect an infected system. The firm recommends the use of stronger passwords, two-factor authentication and other best practices.

"If [systems administrators] discover their systems are infected, they are advised to wipe affected computers and reinstall the operating system and software," ESET said. "It is essential that fresh passwords and private keys are used, as the existing credentials must be considered compromised."

ESET believes Windigo is responsible for a compromise at the Linux Foundation in 2011 that affected some of the organization's back-end servers. Infections increased significantly in 2013 with thousands of servers compromised in separate incidents.

Other security researchers have uncovered similar attacks targeting Linux and Unix servers. Mary Landesman, a senior security researcher at Cisco Systems, warned last year that Web hosting providers that provide domain services and management capabilities for website owners are at risk of being targeted by the organization. Landesman highlighted the Darkleech attacks, which set up drive-by attacks against website visitors.

A version of the threat called Linux/Cdorked was detected attacking Apache installations in March and the attackers behind the campaign used a technique of never persisting on websites for more than 24 hours, making it difficult for hosting providers and website owners to detect and block the malicious activity.

PUBLISHED MARCH 19, 2014