DreamBus Botnet Infecting Enterprise Applications on Linux Servers
At its core, a botnet is a network of computers that have been hijacked from their users and infected with malware. The hackers can remotely control this anywhere in the world. Afterwards, they can use the network to send out spam, and launch DDoS (distributed denial of service) attacks. What’s worse, the bot network may be rented out to other cyber criminals with nefarious intentions – which is a big portion of why someone will go to through a lot of effort to achieve.
Linux servers are affected at a higher rate of infection for cybercriminals to hack into and add the server to a botnet. A notable example of this is DreamBus – a variant of an older botnet named SystemdMiner that first debuted all the way back in early 2019.
What is DreamBus?
The DreamBus botnet is notable because it targets enterprise-level applications that run exclusively on Linux systems. This includes a wide range of different apps that you may be familiar with, including but not limited to ones like PostgreSQL, Hadoop YARN, Apache Spark, SaltStack and even the SSH service itself.
Depending on the situation, some of these apps may be targeted with straightforward brute force attacks against their default security credentials. Others are hit with malicious commands that expose API endpoints. Others are “tinkered” with as a hacker looks to gain access to a system via exploits and older vulnerabilities.
Regardless, once those target machines become compromised, the end point is clear: DreamBus later downloads and installs an app that mines the cryptocurrency Monero (XMR) using the machines, thus generating an enormous amount of profit for the hackers that control them.
Of course, once infected a machine is also then used to launch additional brute force attacks against other targets as well.
What You Need to Know About the DreamBus Botnet
Security researchers are warning people about the severity of the DreamBus botnet. As of today, it delivers a cryptocurrency miner to infected computers. But based on the type of foundation and structure it is working from, DreamBus operators can use it to distribute far more dangerous payloads down the road – with ransomware being a prime example of that.
Thankfully, there are a number of relatively straightforward steps that organizations can take today to help make sure that they don’t become ensnared in the DreamBus botnet tomorrow. Secure any and all applications on an enterprise that are both publicly and privately accessible at the same time. Strong passwords that are a long combination of numbers, letters and special characters are a must – if employees find these types of passwords too challenging to work with, a password manager should be employed.
Likewise, security experts recommend strengthening SSH public key authentication by requiring that all users employ a separate password to decrypt the private key. Along the same lines, organizations of all types should deploy not only network monitoring systems, but endpoint monitoring systems as well. This will go a long way towards identifying the types of compromises that could lead to becoming entrapped in the DreamBus botnet.