Speakup sets up for attack
A backdoor trojan named SpeakUp has been discovered exploiting Linux servers that run more than 90 percent of the top 1 million domains in the U.S.. It employs several techniques in it's bag of tricks to infect hosts and spread. Analysts think that this could indicate that it's getting ready for an attack involving the infected hosts, potentially worldwide. According to Check Point research, SpeakUp is being used in a crypto-mining hack that is gaining momentum and has targeted more than 70,000 servers worldwide so far. This could be the foundation for a huge botnet.
SpeakUp targets on-premises servers as well as cloud-based machines, such as those hosted by Amazon Web Services. It also has the ability to infect MacOS devices. The scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. Since these software can be deployed on virtual servers, all cloud infrastructure are also vulnerable. The trojan can affect all Linux distributions and MacOS.
The infection starts by targeting a RCE vulnerability in ThinkPHP (CVE-2018-20062). The code uses command-injection techniques for uploading a PHP shell that serves and executes a Perl backdoor. The code uses a GET request tat is sent to the targeted server. The uploaded PHP shell then sends another HTTP request to the targeted server, with an injection function that pulls the ibus code and stores it. The code execution is then kicked off using another HTTP request. This in turn, executes the Perl script, puts it to sleep for two seconds and deletes the file to remove any evidence of infection.
After registering the infected machine with the C2, SpeakUp continuously asks for new tasks every three seconds. The C2 can respond with no task or, it can tell it to execute arbitrary code on the local machine, download and execute a file from any remote server, kill or uninstall the program, or send updated fingerprint data.
Since the hacker has a foothold on the server, they can add new, future vulnerabilities, and deploy the new code, which can attempt more exploits. If the hacker decides to implement some more infection techniques the number of bots could easily scale up. The attack is scalable as well, since a hacker would be able to download a piece of malware to all infected hosts at once.
Currently, the files being downloaded by the backdoor is dropping are simple, Monero-mining scripts. However, SpeakUp's creators have the ability to download any code they want to the servers. SpeakUp's obfuscated payloads and propagation technique the work of a bigger threat in the making according to the analysis. The hacker behind this attack can at any given time, initiate additional code that is potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.
SpeakUp could end up being a very big deal since it has been seen running on top sites on the internet. Taking into consideration the propagation tactics and a non-existent detection rate on VirusTotal, the impact of SpeakUp may be huge. This attack, while new, can evolve into something bigger and potentially more harmful.