Attackers Targeting Linux Infrastructures With Rootkit to Steal SSH Keys
Brian Prince writes on eWeek:
Hackers are launching attacks against Linux-based computing infrastructures using compromised SSH keys and installing rootkits, according to a warning by the U.S. Computer Emergency Readiness Team (US-CERT).More here.
According to US-CERT, the attack uses stolen SSH keys to access a system, and then local kernel exploits to gain root access. At that point, a rootkit known as phalanx2 is installed.
“Phalanx2 appears to be a derivative of an older rootkit named phalanx,” the US-CERT advisory reads. “Phalanx2 and the support scripts within the rootkit are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.”
The attacks could be related to a flaw that was discovered earlier this year in the random number generator in Debian's OpenSSL package. The flaw makes cryptographic material guessable.