A Linux backdoor capable of stealing login credentials from secure shell connections has been found on the network of a large unnamed internet hosting provider.
Symantec researchers detected the Fokirtor trojan in June which exposed login credentials.
Breached passwords were hashed and salted but Fokirtor could have provided access to the company's encryption key which secured its internal communications.
“This backdoor allowed an attacker to perform the usual functionality – such as executing remote commands – however, the backdoor did not open a network socket or attempt to connect to a command-and-control server,” researchers wrote in a blog post.
They said the trojan injected itself into the organisation's SSH process to extract encrypted commands.
Fokirtor could ultimately allow an attacker to execute commands of their choosing and even collect data from individual SSH connections, like the connecting hostname, IP address, port and SSH key used to authenticate users.
Symantec Security Response researcher Satnam Narang said the attackers needed the "sophisticated” trojan to conceal their access to the target's network.
“The attackers understood that the target environment was well protected, so they needed to find a means to avoid a potential security review in order to remain hidden,” Narang wrote.
“Therefore, they crafted this stealthy backdoor to camouflage itself within the secure shell (SSH) and other processes."
_(36).jpg&h=140&w=231&c=1&s=0)
_(37).jpg&h=140&w=231&c=1&s=0)
Cyber Resilience Summit
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
.jpg&h=271&w=480&c=1&s=1)
_(1).jpg&h=140&w=231&c=1&s=0)
