July 13, 2020

Linux Webmin Servers Being Attacked by New P2P Roboto Botnet

Linux servers running unpatched Webmin installations are under attack and slowly getting added to a new peer-to-peer (P2P) botnet dubbed Roboto by security researchers at 360 Netlab who tracked it for roughly three months.

360 Netlab’s researchers were able to capture the botnet’s bot and downloader modules, with P2P control and vulnerability scanner modules also in use but not retrieved and analyzed so far.

After examining the malware components captured so far, 360 Netlab found that the Roboto bots support seven functions, including reverse shell, self uninstall, system command execution, harvesting and exfiltrating process and network information, run encrypted payloads from remote URLs, and launch DDoS attacks.

While the researchers found that the DDoS module supports four types of DDoS attack methods — ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood — depending on the system permissions it can gain on the compromised Linux servers, not even a single Roboto DDoS attack was detected since they started tracking it.

Scanning and compromising Linux Webmin Servers

To compromise new systems and add them to the botnet, Roboto exploits a Webmin RCE vulnerability tracked as CVE-2019-15107 to drop its downloader module on Linux servers running vulnerable installations of Unix Webmin web-based system administration tool — the security flaw can be mitigated by updating to Webmin 1.930 or disabling the ‘user password change’ option.

To have an idea of how many devices are exposed to Roboto attacks at the moment, Webmin says on the project’s GitHub page that it has “over 1,000,000 installations worldwide,” while Shodan reports over 232,000 reachable servers and BinaryEdge a little over 470,000 — not all reachable Webmin servers run Linux or a vulnerable version.

The 360 Netlab report also notes that the server that attacked their Anglerfish honeypot to drop the Roboto downloader was also running a Webmin service on the TCP/10000 port, hinting at the fact that the operators are using previously infected systems to scan for and compromise other devices.

“At the same time, it also uses Curve25519, Ed25519, TEA, SHA256, HMAC-SHA256 and other algorithms to ensure the integrity and security of its components and P2P network, create the corresponding Linux self-starting script based on the target system, and disguise its own files and processes name to gain persistence control,” 360 Netlab also found.

Leave a Reply

Your email address will not be published. Required fields are marked *