A new Linux malware is currently targeting supercomputers across the globe. These include those in North America, Asia, and Europe. ZDNet reported that although it is a small malware, its complexity can still give security experts a hard time preventing it from breaching supercomputers.
An employee of the German Climate Computing Center (DKRZ, or Deutsches Klimarechenzentrum) poses next to the "Mistral" supercomputer, installed in 2016, at the German Climate Computing Center on June 7, 2017 in Hamburg, Germany. The DKRZ provides HPC (high performance computing) and associated services for climate research institutes in Germany.
The new malware is also believed to be stealing mainly SSH credentials for secure network connections via a trojanized version of the OpenSSH software. Although the malware is not that widespread, experts explained that it still targets mostly high-performance computers or HPC, and servers on research and academic networks.
Why is this alarming? Because the malware can leak very important data from various classified researchers and other school studies. According to Bleeping Computer's latest report, cybersecurity company ESET's researchers were the ones that first discovered the new malware. They called it Kobalos, which is based on a misbehaving creature in Greek Mythology.
The new Kobalos Malware
The security researchers said that Kobalos can be executed on other UNIX platforms such as Solaris, FreeBSD, and more. On the other hand, the new study also revealed that there can be also other variants for Windows operating systems and AIX.
A "Mistral" supercomputer, installed in 2016, at the German Climate Computing Center (DKRZ, or Deutsches Klimarechenzentrum) on June 7, 2017 in Hamburg, Germany. The DKRZ provides HPC (high performance computing) and associated services for climate research institutes in Germany. Its high performance computer and storage systems have been specifically selected with respect to climate and Earth system modeling. With a total of 100,000 processor cores, Mistral has a peak performance of 3.6 PetaFLOPS.
ESET researchers said that after they created a fingerprint for the threat, they found out that Kobalos' victims were servers and supercomputers in the academic and research sector, as well as an endpoint of an undisclosed software security vendor in North America. On the other hand, they claimed that there could also be a large ISP in Asia, hosting providers, and marketing agencies that were compromised.
Although they found the possible victims, the researchers were not able to identify the initial attack vector that allowed the cybercriminals and other hackers to acquire administrative access to execute the new Linux malware.
How Kobalos steals SSH credentials
The new Linux malware was found providing remote access to the file system. It can also spawn terminal sessions. The methods of the new Linux malware allow hackers and cyber attackers to run arbitrary commands.
"On compromised machines whose system administrators were able to investigate further, we discovered that an SSH credential stealer was present in the form of a trojanized OpenSSH client," said the ESET security experts via Bleeping Computer.
"The /usr/bin/sshfile was replaced with a modified executable that recorded username, password, and target hostname, and wrote them to an encrypted file," they added.
They added that the actual credential theft could explain how Kobalos infects and breaches other systems on the same academic or research system.
For more news updates about Kobalos and other new malicious systems and methods, always keep your tabs open here at TechTimes.
Related Article: Experts Claim Russia is Not Alone! Second SolarWinds Chinese Hack Possibly Exploits Different Flaw
This article is owned by TechTimes.
Written by: Giuliano de Leon.
