A botnet has been attacking and gaining access to other web shells (backdoors on web servers) for more than a year, security researchers at Positive Technologies have revealed today.
The researchers linked the botnet to an old trojan with the name Neutrino (also known as Kasidet), whose operators appear to have shifted their targeting from user desktops to web servers, on which they install an encryption malware.
Researchers at Positive Technologies report that this new phase of the Neutrino gang began early in 2018, when the team was able to develop a multifunctional botnet that detected random IP addresses on the Internet by searching for specific applications and servers that could be infected.
To hack other servers, the Neutrino botnet uses various techniques, such as exploits for old and new vulnerabilities, vulnerabilities in phpMyAdmin servers that do not have a password, and brute-force attacks on root accounts on phpMyAdmin, Tomcat and MS-SQL.
Οι ερευνητές αναφέρουν επίσης ότι το Neutrino κάνει περίεργα πράγματα, που δεν παρατηρούνται σε πολλά άλλα botnets. Για παράδειγμα, το συγκεκριμένο Neutrino αναζητά Ethereum nodes που λειτουργούν με προεπιλεγμένους κωδικούς πρόσβασης, συνδέεται με αυτά τα συστήματα και κλέβει archives που είναι αποθηκευμένα τοπικά.
Neutrino as mentioned in the title also focuses on hacking web shells.
Web shells are backdoors that hackers use to perform operations on a compromised machine. They have a web-based interface from which hackers can connect and issue commands through the proletterof their browsing, or a special programmed environment with which they send automated commands.
According to Positive Technologies researchers, Neutrino searches the web for 159 different types of PHP web shells and two JSP (Java Server Pages).
The botnet creates a list of web shells and then launches brute-force attacks to guess login credentials and gain access.
As for Neutrino's success, Positive Technologies reports that the botnet was one of the three largest queries senders to their honeypots.
Based on the company's research, the botnet has proven to be quite successful in infecting Windows servers with phpStudy, an integrated learning environment popular among Chinese developers.
However, it also attacks phpMyAdmin servers.
"To protect servers from Neutrino infection, we recommend that administrators check the password on the phpMyAdmin root account," said Kirill Shipulin, a security researcher at Positive Technologies.
“Make sure your services are up to date and install the latest ones updates. Remember that Neutrino is regularly updated with new exploits.”
Technical details on the Neutrino modus operandi can be found at Publication by Positive Technologies.
_______________________
- Create a new virtual desktop in Windows 10
- How to Remove Spam From Your Wi-Fi
- See the Leonardo da Vinci notebook collection for free
- The Windows Notepad 10 application is now available in the Microsoft Store
.