Security researchers at Palo Alto Networks discovered a new malware that targets both Windows and Linux devices and incorporates various attack methods such as Ransomware, Destruction, Cryptocurrency mining, and botnet.
XBash treats Linux and Windows system differently. On Linux it operates as a ransomware and botnet. It is questionable if calling the functionality a ransomware; it looks like and smells like ransomware, but to date there is no evidence that paying the ransom has resulted in restored, decrypted data. Instead, it appears to function more like a destructive malware that is meant to look like ransomware, a la NotPetya. The malware has defined guidance built-in to identify and delete databases, such as MongoDB, MySQL, and PostgreSQL.
On Windows, XBash functions as a cryptocurrency malware and is built for self-propagation, however it appears that the operational versions do not have the internal network, self-propagation persistence mechanisms turned on. Should that become operational it could have far greater devastating effects on corporate or government enterprises.
Successful XBash infections occur through typical network scanning looking for any number of unpatched, known vulnerabilities. It does not appear to exploit any zero-day vulnerabilities or spread via phishing or web-exploit. It also appears to use brute-force techniques for exploitation. When an open port is found in the scans, it seeks to gain access through a dictionary attack of common, weak username and password login attempts.
Limiting Compromise Likelihood
The techniques it uses to infect victims are nothing innovative. While we can expect that in the future propagation techniques will expand to phishing and web exploitation, the current scanning and brute-force protections can be fairly simply implemented. We recommend the following practices:
- Patch and update your systems at least monthly.
- Enforce strong and unique passwords. Passwords should either be 8-12 characters with complexity or 15 characters with no complexity. This writer prefers length over complexity.
- Regularly require password changes
- Employ security monitoring and detection
- Close unnecessary ports on devices visible to the internet
The two most dangerous functions of XBash are the destructive ransomware-like function and the yet-to-be active internal network propagation. Before a compromise occurs we recommend the following:
- Back up your data in a location / network segment that is protected from the operational network
- Test and practice your disaster recovery processes to ensure that should you be infected with Ransomware or this destructive malware that you can successfully restore data in a timely manner.
- Ensure you are patching your entire internal network, not just the perimeter devices and endpoints. This will limit internal spread of the malware.
- Segment your network with appropriate protections thus limiting spread to the local network segment.
Mitigating Successful Compromise
- Have a robust IR plan in place. Decide if taking the chance to pay the ransom is worth the risk (in this case it may not be). Activate your IR plan.
- Remove infected devices from the network, wipe and restore to the extent possible.
Security On-Demand Actions:
Here at Security On-Demand we are actively gathering indicators and signatures tied to this malware. At the time of publication there is little to nothing available, however as they are discovered, ThreatWatch will be updated. Additionally, our scan-surveillance capability identifies the various stages of scanning and we are increasing our focus on that service to identify any indications that an attack is imminent.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.