As ESET reports, supercomputers around the world are threatened by the Kobalos backdoor. Remote access gives cybercriminals unimagined opportunities.
With their enormous computing power, supercomputers shouldn't get into the hands of criminals - the consequences would be fatal. But that's exactly what happened after discoveries by ESET researchers. Strangers successfully attack so-called Performance Computer (HPC) clusters with Kobalo's backdoor and gain extensive access. The victims include a large Asian ISP, a North American endpoint security provider, and several corporate and government servers.
Attack against Linux, BSD and Solaris
Kobalos was developed for Linux, BSD and Solaris. “Normal” Linux computers also come into focus. Code fragments indicate porting for AIX and Windows. The ESET researchers have published further technical details about Kobalos on the security blog "welivesecurity.de".
“We named this malware Kobalos because of its tiny code size and many tricks. In Greek mythology, a cobalos is a small, mischievous creature, ”explains Marc-Etienne Léveillé, who examined the backdoor. “Rarely have we seen this level of sophistication in Linux malware,” he adds. ESET has worked with the CERN Computer Security Team and other organizations involved in defending against attacks on these scientific research networks.
"Setting up two-factor authentication for connecting to SSH servers can contain this type of threat," says Thomas Uhlemann, Security Specialist at ESET Germany. "Using stolen credentials seems to be one of the ways criminals have used Kobalos to spread to various systems."
This is how Kobalos acts
Kobalos is a generic backdoor that contains comprehensive commands from criminals for their illegal activities. For example, attackers can gain remote access to the file system, create terminal sessions and even use proxy connections to establish contact with other servers infected with Kobalos.
What makes the backdoor unique: The code to run Kobalos is on the command and control servers (C&C for short). Any server compromised by the malware can be turned into a C&C instance - the attacker only has to send a single command. Since the IP addresses and ports of the C&C server are hard-coded into the executable, the hackers can then generate new Kobalos samples that use this new command server.
In addition, the malware uses a 512-bit RSA private key and a 32-byte password to make it more difficult for security solutions to discover. Encryption makes the actual malicious code difficult to discover and analyze. The ESET researchers have published further technical details on Kobalos.
More on this at WeLiveSecurity on ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.