Ebury botnet compromises 400,000+ Linux servers

ESET researchers released its deep-dive investigation into one of the most advanced server-side malware campaigns. It is still growing and has seen hundreds of thousands of compromised servers in its at least 15-year-long operation.

The Ebury group and botnet have been involved in the spread of spam, web traffic redirections, and credential stealing over the years. In recent years, they have diversified to credit card and cryptocurrency theft.

Additionally, Ebury has been deployed as a backdoor to compromise almost 400,000 Linux, FreeBSD, and OpenBSD servers; more than 100,000 were still compromised as of late 2023. In many cases, Ebury operators could gain full access to large servers of ISPs and well-known hosting providers.

Ebury, active since at least 2009, is an OpenSSH backdoor and credential stealer. It is used to deploy additional malware to monetize the botnet (such as modules for web traffic redirection), proxy traffic for spam, perform adversary-in-the-middle attacks (AitM), and host supporting malicious infrastructure. In AitM attacks, ESET has observed over 200 targets across over 75 networks in 34 countries between February 2022 and May 2023.

Its operators have used the Ebury botnet to steal cryptocurrency wallets, credentials, and credit card details. ESET has uncovered new malware families authored and deployed by the gang for financial gain, including Apache modules and a kernel module to redirect web traffic. Ebury operators also used zero-day vulnerabilities in administrator software to compromise servers in bulk.

After a system is compromised, several details are exfiltrated. Using the known passwords and keys obtained on that system, credentials are reused to try logging into related systems. Each Ebury’s major version introduces important changes, new features, and obfuscation techniques.

“We have documented cases where the infrastructure of hosting providers was compromised by Ebury. In these cases, we have seen Ebury being deployed on servers rented out by those providers, with no warning to the lessees. This resulted in cases where the Ebury actors were able to compromise thousands of servers at once,” says Marc-Etienne M. Léveillé, the ESET researcher who investigated Ebury for more than a decade. There is no geographical boundary to Ebury; there are servers compromised with Ebury in almost all countries in the world. Whenever a hosting provider was compromised, it led to a vast number of compromised servers in the same data centers.

At the same time, no verticals appear more targeted than others. Victims include universities, small and large enterprises, internet service providers, cryptocurrency traders, Tor exit nodes, shared hosting providers, and dedicated server providers, to name a few.

In late 2019, the infrastructure of a large and popular US-based domain registrar and web hosting provider was compromised. In total, approximately 2,500 physical and 60,000 virtual servers were compromised by the attackers. A very large portion, if not all, of these servers are shared between multiple users to host the websites of more than 1.5 million accounts. In another incident, a total of 70,000 servers from that hosting provider were compromised by Ebury in 2023. Kernel.org, hosting the source code of the Linux kernel, had been a victim of Ebury too.

“Ebury poses a serious threat and a challenge to the Linux security community. There is no simple fix that would make Ebury ineffective, but a handful of mitigations can be applied to minimize its spread and impact. One thing to realize is that it doesn’t only happen to organizations or individuals that care less about security. A lot of very tech-savvy individuals and large organizations are among the list of victims,” concludes Léveillé.