A new backdoor for Linux systems has begun to exploit and spread and is mainly running on Linux servers in China. The malware was named SpeakUp and was discovered three weeks ago by Check Point security researchers. Researchers say hackers exploit the vulnerability of the PHP framework ThinkPHP CVE-2018-20062. Once SpeakUp invades a vulnerable system, hackers can use it to modify the local cron utility for boot persistence and run shell commands to execute Files downloaded from the Remote Command and Control Server (C&C), as well as updating or uninstalling itself.
In addition, SpeakUp comes with a built-in Python script through which malware spreads laterally across the local network. The script can scan the local network for open ports, brute force nearby systems with a predefined list of usernames and passwords, and exploit one of the following seven vulnerabilities to take over the unpatched system:
- CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
- CVE-2010-1871: JBoss Seam Framework remote code execution
- JBoss AS 3/4/5/6: Remote Command Execution
- CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
- CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
- Hadoop YARN ResourceManager – Command Execution
- CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.
Check Point said that SpeakUp can run on six different Linux distributions and even macOS systems, and the hacker team behind it currently uses the malware to deploy Monero cryptocurrency miners on infected servers and has now received about 107 Monero coins, about $4,500.
The current map of infection shows that SpeakUp victims are mainly concentrated in Asia and South America, with China as the mainstay.
According to the researchers, SpeakUp authors are currently only using ThinkPHP vulnerability CVE-2018-20062, which allows remote attackers to execute arbitrary PHP code by carefully using filter parameters, but they can easily Switch to any other vulnerability and extend the SpeakUp backdoor to a wider range of targets.