2 min Devops

Trojan SpeakUp abuses new vulnerability in Linux

Trojan SpeakUp abuses new vulnerability in Linux

Hackers have developed a new backdoor trojan that can run on Linux systems. The malware is called SpeakUp and currently focuses mainly on Linux servers located in China. The hackers behind this series of attacks use the ThinkPHP framework to infect servers.

Once the trojan gets a foothold in one of the vulnerable systems, hackers can use it to change local permissions. This allows them to run shell commands, run files downloaded from a remote C&C server, and install or remove the trojan.

Abuse vulnerabilities

That’s what researchers at Check Point report, who discovered the new vulnerability three weeks ago. SpeakUp also features a built-in Python script, which uses the malware to spread itself through the local network. The script searches for open ports, but can also use brute-force attacks using predefined lists of usernames and passwords. A list of seven other exploits can be used to further penetrate systems that have not yet been patched. These are these exploits:

  • CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
  • CVE-2010-1871: JBoss Seam Framework remote code execution
  • JBoss AS 3/4/5/6: Remote Command Execution
  • CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
  • CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
  • Hadoop YARN ResourceManager – Command Execution
  • CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution vulnerability

Once SpeakUp has infected new devices, it can also roll itself out to those new systems. Check Point states that SpeakUp can run on six different Linux distributions and even macOS systems. The group behind this trojan tries to install monero-miners on the infected servers. Check Point states that the team behind SpeakUp has so far generated 107 monero-coins, representing $4,500 (€3,940).

There are, however, hardly any infections in the west; most of the devices are located in Asia and in South America.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.