High-performance computers are under siege by a newly discovered backdoor:
Kobalos, as researchers from security firm Eset have named the malware, is a backdoor that runs on Linux, FreeBSD, and Solaris, and code artifacts suggest it may have once run on AIX and the ancient Windows 3.11 and Windows 95 platforms. The backdoor was released into the wild no later than 2019, and the group behind it was active throughout last year.
[...] While the Kobalos design is complex, its functionalities are limited and almost entirely related to covert backdoor access. Once fully deployed, the malware gives access to the file system of the compromised system and enables access to a remote terminal that gives the attackers the ability to run arbitrary commands.
In one mode, the malware acts as a passive implant that opens a TCP port on an infected machine and waits for an incoming connection from an attacker. A separate mode allows the malware to convert servers into command-and-control servers that other Kobalis-infected[sic] devices connect to.
[...] Those infected with the malware include a university, an end-point security company, government agencies, and a large ISP, among others. One high-performance computer compromised had no less than 512 gigabytes of RAM and almost a petabyte of storage.
Eset said the number of victims was measured in the tens. The number comes from an Internet-scan that measures behavior that occurs when a connection is established with a compromised host from a specific source port.
[...] “The intent of the authors of this malware is still unknown,” they wrote. “We have not found any clues to indicate whether they steal confidential information, pursue monetary gain, or are after something else.”
Also at: SecurityWeek and ThreatPost.
(Score: 2) by dltaylor on Wednesday February 03 2021, @09:51AM (8 children)
How in the hell do you not DROP every incoming request that does not have an explicit server/firewall (yes, an additional firewall) dedicated to that service?
How often do you port-scan your own network from the outside, the "DMZ" (the term is wrong, because the space between your front-line firewall and your outward facing servers IS a battleground, but let's not have truth impede a good TLA), and from the inside, as well to help locate devices compromised by idiots (often CxOs, VPs, Directors and the like) with USB sticks and lousy Internet self-defense skills?
(Score: 0) by Anonymous Coward on Wednesday February 03 2021, @09:56AM
Idiot your job is to serve the masters. Now go and find the evidence for Jared to get his Nobel Prize.
(Score: 4, Informative) by sjames on Wednesday February 03 2021, @10:38AM (2 children)
It's worth noting that in spite of what the term demilitarized zone might make you think, actual DMZs are zones where there is nowhere to hide and anything larger than a rabbit seen moving will be killed from both sides.
The place public facing servers live is called a DMZ because it is protected from the outside internet and from the inside intranet by firewalls.
(Score: 2) by Freeman on Wednesday February 03 2021, @04:38PM (1 child)
Uhh...., I was distinctly under the impression that a router's DMZ specifically placed a local computer outside of the Router's Firewall, thus exposing it to the Internet in general.
https://en.wikipedia.org/wiki/DMZ_(computing) [wikipedia.org]
Yeah, there is nothing protecting your servers from the outside internet, if they are in the DMZ. They must have their own Firewalls.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by sjames on Wednesday February 03 2021, @07:17PM
You stopped reading too soon. Keep reading.
(Score: 0) by Anonymous Coward on Wednesday February 03 2021, @10:52AM (2 children)
If you read the disclosure, the malware doesn't use a new port. It just injects itself into ssh using older vulnerabilities. That doesn't surprise me though. A surprisingly large number of HPC setups run terrifyingly outdated software on them and their access systems. Many of them just don't have the staff necessary to run them properly, especially if they are no longer shiny or considered large. Heck, one of the lower-power clusters here is running Squeeze because I'm 99% sure no one is brave enough to touch it. But at least they finally disconnected it from the Internet .......... in 2018.
(Score: 3, Interesting) by ledow on Wednesday February 03 2021, @11:31AM (1 child)
"In one mode, the malware acts as a passive implant that opens a TCP port on an infected machine and waits for an incoming connection from an attacker"
That sounds like people allow internal devices to open TCP ports and they are connected direct to the Internet to me.
Pretty much any machine on my network, if you took full, total, root control of it, you wouldn't be able to open a port that would let others on the Internet connect to it - you'd have to connect OUT to a C&C server of some kind. And unless the machine has a reason to be connecting out on the given port, that should be caught by the firewall, etc. anyway (i.e. don't have default-allow rules on outgoing traffic). And most machines, even things like webservers for example, shouldn't be initiating connections OUT at all... only already established connections in on their already-whitelisted (and hopefully reverse-proxied) 80/443 ports, etc.
This is caused or exacerbated by sloppy networking however you read it. Sure, you can't STOP a full remote compromise of the software on a machine that's provide a server like SSH, email or web, but you can very-much limit the damage and alert when something's doing something that it has never tried to do before (e.g. open port 22 to the outside world, or talk out to a C&C server on a given port it's not authorised to).
Oh, and disable UPnP on ALL your gateway devices. That's just a recipe for disaster.
(Score: 0) by Anonymous Coward on Wednesday February 03 2021, @09:42PM
That sounds like what I described and it is the more common method according to the discoverer. They probably use that one because of the firewall filtering and other measures you suggested.
(Score: 0) by Anonymous Coward on Wednesday February 03 2021, @06:05PM
well, dropping requests implies attacker is a noob and does not use a port you cannot block, like 443 or 53 (classic) or some other. Mimicry.
port scanning from your own ip wont show port as open, if the implant is in the router, and it will be with enough workstations controlled.
tcp ip stack can be patched in memory, too.
etc.
unsecured "IOT" only works when theres alot of them, who gives a fuck about 100k strong botnet, lol.
these days count in the millions is not impossible, if you dont use it to ddos or spam with.
(Score: 5, Insightful) by Dr Spin on Wednesday February 03 2021, @10:17AM (1 child)
So how are we supposed to know if we are compromised? how do we get rid of it?
Telling us there is a problem with no description of the problem is just a completely stupid waste of everybody's time.
Warning: Opening your mouth may invalidate your brain!
(Score: 1, Informative) by Anonymous Coward on Wednesday February 03 2021, @01:10PM
https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf [welivesecurity.com] p. 28,29
(Score: 0) by Anonymous Coward on Wednesday February 03 2021, @04:27PM (3 children)
> One high-performance computer compromised had no less than 512 gigabytes of RAM and almost a petabyte of storage.
Our very much normal servers used to host VMs, not part of a HPC cluster (high performance computing cluster), have had a _minimum_ of half a terabyte of RAM each for over a decade. This is not a lot these days. And, absolutely not "high performance".
(Score: 2) by Freeman on Wednesday February 03 2021, @04:43PM
Considering the likes of of "Linus Tech Tips" from YouTube has a petabyte of storage just so they can fit all their videos, etc. I would have to agree that 512GB of RAM and 1 Petabyte of storage isn't particularly High Performance or terribly impressive. Though, it's certainly larger than pretty much any "gaming rig" or the like that a home user would have.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by vux984 on Wednesday February 03 2021, @10:04PM (1 child)
Your 'very normal servers' are "high performance computers" by any metric an arstechnica reader would go by. And really, even for an IT/tech audience, the VAST majority of us don't work with hardware like that. The biggest servers i personally admin is a rack of 128GB RAM / 8TB storage (SSD) systems for VMs. They cost ~20k each iirc. They're pretty modest as servers go, sure, but they're an order or two magnitudes more than what people most people have on their desk, even 'high end' gaming systems.
Sure some people in CAD or film production might even have something comparable on their desks, but I think those qualify as "high performance computers" too.
(Score: 0) by Anonymous Coward on Thursday February 04 2021, @09:04AM
A joke around here is that anything you get use is a computer and any bigger iron that you don't is a supercomputer.
(Score: 2) by PinkyGigglebrain on Wednesday February 03 2021, @08:55PM
from the article;
So we have to wait until they figure that out to fully protect our networks.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."