Linux backdoor stole company logins

By

Fokirtor trojan discovered.

A Linux backdoor capable of stealing login credentials from secure shell connections has been found on the network of a large unnamed internet hosting provider.

Linux backdoor stole company logins
Zombie-parade.net

Symantec researchers detected the Fokirtor trojan in June which exposed login credentials.

Breached passwords were hashed and salted but Fokirtor could have provided access to the company's encryption key which secured its internal communications.

“This backdoor allowed an attacker to perform the usual functionality – such as executing remote commands – however, the backdoor did not open a network socket or attempt to connect to a command-and-control server,” researchers wrote in a blog post.

They said the trojan injected itself into the organisation's SSH process to extract encrypted commands.

Fokirtor could ultimately allow an attacker to execute commands of their choosing and even collect data from individual SSH connections, like the connecting hostname, IP address, port and SSH key used to authenticate users.

Symantec Security Response researcher Satnam Narang said the attackers needed the "sophisticated” trojan to conceal their access to the target's network.

“The attackers understood that the target environment was well protected, so they needed to find a means to avoid a potential security review in order to remain hidden,” Narang wrote.

“Therefore, they crafted this stealthy backdoor to camouflage itself within the secure shell (SSH) and other processes."

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Melbourne dev finds gift card PINs can be brute-forced

Melbourne dev finds gift card PINs can be brute-forced

"Widespread data theft" hits Salesforce customers via third party

"Widespread data theft" hits Salesforce customers via third party

Zero-click Apple and WhatsApp bug combo used to drop gov spyware

Zero-click Apple and WhatsApp bug combo used to drop gov spyware

Western Sydney University targets file-sharing sites hosting stolen data

Western Sydney University targets file-sharing sites hosting stolen data

Log In

  |  Forgot your password?