[ALERT] ADVISORY ON DREAMBUS BOTNET

BACKGROUND

A new botnet named DreamBus is a malware with worm-like behavior that can propagate itself both across the Internet and literally through compromised internal networks using a variety of techniques. It installs the XMRig crypto miner on powerful enterprise-class Linux and Unix systems with the goal of using their computing power to Mine Monero cryptocurrency.

The malware can spread among systems that are not exposed to the Internet by scanning non-public RFC 1918 IP address space for vulnerable Linux systems. The botnet can exploit applications that include PostgreSQL, Redis, Hadoop YARN, Apache Spark and HashiCorp Consul.

IMPACT

  • Among the modules the malware uses for propagation are those that exploit implicit trust and weak passwords and that enable unauthenticated remote code execution on applications such as Secure Shell (SSH), cloud-based apps and databases, and administration tools. 
  • The threat actor can potentially pivot in the future to more destructive activities such as ransomware or stealing an organization's data and holding that information hostage.
  • Use large amount of CPUs memory

AFFECTED SYSTEM

  • Linux or Unix systems

RECOMMENDATIONS

  • Properly secure all applications that are both publicly and privately accessible. 
  • Strong passwords should always be used to secure internet services. 
  • SSH public key authentication can be further strengthened by requiring a password to decrypt the private key. 
  • Organizations should also deploy network and endpoint monitoring systems to identify compromises and be mindful of systems that engage in brute force attacks, which are typically very noisy.