New SpeakUp Backdoor Infects Linux and macOS with Miners
(Feb 4, 2019)
Check Point researchers have observed a malware campaign that has been distributing a new backdoor, dubbed “SpeakUp.” The malware appears to be targeting Linux and macOS servers primarily based in Brazil, China, Columbia, Ecuador, India, Mexico, Paraguay, South Korea, amongst others. The malware uses a known vulnerability, “CVE-2018-20062,” in the Chinese PHP framework “ThinkPHP,” that allows for remote code execution as the initial infection vector to install a Perl backdoor. Once it obtains access to the Linux or macOS server, it it contact its Command and Control (C2) server to relay the newly infected machine’s information to it. The other vulnerabilities exploited in this campaign include: “CVE-2012-0874,” a JBoss Enterprise Application Platform multiple security bypass, “CVE-2010-1871,” a JBoss Seam Framework remote code execution (RCE), “CVE-2017-10271,” an Oracle WebLogic wls-wsat Component Deserialization RCE, “CVE-2018-2894,” a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware, and “CVE-2016-3088,” an Apache ActiveMQ Fileserver file upload RCE.
Recommendation: Your company should have policies in place in regards to maintaining server software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes becomes available on public sources once a patch has been issued. Actors of all levels of sophistication are known to exploit such vulnerabilities because many users and administrators do not apply security updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.