Akamai and its Prolexic Security Engineering & Research Team (PLXsert) issued a threat advisory Wednesday of a high-risk threat of IptabLes and IptabLex infections on Linux systems. Enterprise Linux systems are being used to launch botnet DDoS attacks against the entertainment industry and possibly other targets.
Malicious actors have mainly exploited vulnerabilities in Apache Struts, Tomcat and Elasticsearch to gain access to unmaintained servers, ramp up privileges to gain remote control, and then deliver and run malicious code.
“We have traced one of the most significant DDoS attack campaigns of 2014 to infection by IptabLes and IptabLex malware on Linux systems,” Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai said. “This is a significant cybersecurity development because the Linux operating system has not typically been used in DDoS botnets. Malicious actors have taken advantage of known vulnerabilities in unpatched Linux software to launch DDoS attacks. Linux admins need to know about this threat to take action to protect their servers.”
Infected machines can be identified by payloads named .IptabLes or .IptabLex in the /boot directory, and they will attempt to self-update by contacting a remote host. In the lab Prolexic found an infected system attempted to contact two IPs located in Asia.
Infected systems were initially found in Asia, where the IptabLes and IptabLex command and control centers are located, but “many infections” have since been found on servers hosted in the US and other regions.
Prolexic says that detecting and preventing the infections requires patching and hardening Linux servers, and the company provides bash commands to clean an infected system in its threat advisory.