Linux backdoor stole company logins

By

Fokirtor trojan discovered.

A Linux backdoor capable of stealing login credentials from secure shell connections has been found on the network of a large unnamed internet hosting provider.

Linux backdoor stole company logins
Zombie-parade.net

Symantec researchers detected the Fokirtor trojan in June which exposed login credentials.

Breached passwords were hashed and salted but Fokirtor could have provided access to the company's encryption key which secured its internal communications.

“This backdoor allowed an attacker to perform the usual functionality – such as executing remote commands – however, the backdoor did not open a network socket or attempt to connect to a command-and-control server,” researchers wrote in a blog post.

They said the trojan injected itself into the organisation's SSH process to extract encrypted commands.

Fokirtor could ultimately allow an attacker to execute commands of their choosing and even collect data from individual SSH connections, like the connecting hostname, IP address, port and SSH key used to authenticate users.

Symantec Security Response researcher Satnam Narang said the attackers needed the "sophisticated” trojan to conceal their access to the target's network.

“The attackers understood that the target environment was well protected, so they needed to find a means to avoid a potential security review in order to remain hidden,” Narang wrote.

“Therefore, they crafted this stealthy backdoor to camouflage itself within the secure shell (SSH) and other processes."

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Phishing attack nets enormous npm supply chain compromise

Phishing attack nets enormous npm supply chain compromise

Service NSW centralises security, networking in mammoth CloudOps overhaul

Service NSW centralises security, networking in mammoth CloudOps overhaul

VicRoads to phase out passwords in favour of passkeys

VicRoads to phase out passwords in favour of passkeys

Apple adds "mercenary spyware" protection to new A19 chip

Apple adds "mercenary spyware" protection to new A19 chip

Log In

  |  Forgot your password?