Newly identified Xbash malware is targeting weak passwords and unpatched vulnerabilities on Linux and Windows systems to launch ransomware or cryptomining attacks.
Background
Unit 42, Palo Alto Network’s research team, recently blogged about a new malicious software (malware) family it’s calling Xbash. This newly identified malware targets Linux and Windows systems that have weak passwords and unpatched vulnerabilities.
On Linux systems, Xbash will identify and delete MySQL, MongoDB and PostgreSQL databases and then seek ransom payment from victims. On Windows systems, it will initiate cryptomining and self-propagate. Organizations should be aware Xbash has no functionality to restore the deleted databases, so there is no use in paying the ransom.
Vulnerability details
Xbash targets two unpatched vulnerabilities and one patched vulnerability. The first unpatched vulnerability is an unauthenticated command execution vulnerability in Apache Hadoop YARN, which was first discovered in October 2016 but has no CVE. The second unpatched vulnerability is a remote code execution vulnerability in Redis, which was first discovered in November 2015 and also has no CVE. Lastly, the patched vulnerability, CVE-2016-3088, is an arbitrary file write vulnerability in Apache ActiveMQ.
Urgently required actions
To protect against the Xbash malware, we advise organizations to ensure they’re using strong and unique passwords across the board. Because two vulnerabilities remain unpatched, it is important to identify vulnerable assets and ensure they’re protected by an endpoint security product. As there is a patch available for Apache ActiveMQ, organizations should ensure they’re applying patches regularly. Finally, because Xbash targets and deletes databases, organizations should back up databases regularly and segregate them from other systems on the network.
Identifying affected systems
Tenable has plugins available to identify Redis servers. We will update with additional plugins as they become available.
Plugin ID | Description |
Redis Server Unprotected by Password Authentication | |
Redis Server Detection |
Get more information:
- Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows
- Cryptocurrency-Mining Malware: 2018’s New Menace?
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.