The newly launched Linux botnet is more sophisticated than exploits in the first wave, and signals impending “more nefarious” attacks.
A new Linux botnet named B1txor20 has been detected exploiting the Log4J vulnerability to target Linux systems and infecting dozens of vendors that have not patched their systems.
The botnet uses the exploit to steal sensitive information, install rootkits, create reverse shells and act as web traffic proxies.
What makes this bot unique is that it was found using DNS tunneling to conceal its communication traffic. Also, the botnet targets not just x64 devices but also those running on ARM processors. This means devices such as mobile phones and equipment that contain embedded IoT products are also vulnerable. As such embedded systems are likely to be much harder to patch and keep up to date, this exploitation campaign could be running for a very long time and cause sleepless nights for a lot of enterprises.
According to Michael White, Technical Director and Principal Architect, Synopsys Software Integrity Group: “Without software bill-of-materials (SBOM) information for all the network-connected systems, the initial inventory itself will be a massive undertaking. Whilst it is clear Log4j is far from over, we really need to be planning for the next log4j type event, because there will be more. And the answer to that is to get enterprise SBOM initiatives established and to start requiring this information from vendors.”
White noted that sometimes, when planning remediation, security experts will consider whether an exploit is present when they have to assign a level of urgency to any threat. Exploit authors know this tendency and are gaining sophistication over time. So, defenders should no longer use the presence or absence of an existing exploit to determine urgency, but rather how sophisticated has the exploitation of a particular vulnerability has become in general.
“To me, this looks like a renewed second wave of exploitation. It may even build on from here, and become easier to achieve nefarious outcomes,” White said.