Researchers from ESET published a 43-page report with an analysis of the Ebury rootkit and related activity. According to the report, Ebury has been in use since 2009 and has infected over 400 thousand servers running Linux, as well as several hundred systems based on FreeBSD, OpenBSD, and Solaris. As of the end of 2023, approximately 110 thousand servers were still affected by Ebury. Of particular interest is the revelation that Ebury was involved in the attack on Kernel.org back in 2011, shedding light on the compromise of the development infrastructure of the Linux kernel.
The ESET researchers also discovered instances of Ebury on the servers of domain registrars, cryptocurrency exchanges, Tor exit nodes, and various hosting providers. The specific names of these hosting providers were not disclosed in the report.
Initially, it was believed that the attackers who compromised Kernel.org had access for 17 days. However, ESET’s analysis revealed that the Ebury backdoor had been present on the servers since 2009, potentially allowing the attackers to have root access to the servers for up to two years. The Ebury and Phalanx malware were deployed in separate attacks by different threat actor groups.
During the attack on Kernel.org, the attackers were able to access the usernames stored in /etc/Shadow, which included the accounts used by core developers to access GIT repositories. Passwords for 257 users were determined by the attackers, either by cracking hashed passwords or intercepting passwords used in SSH connections.
The Ebury malware was distributed as a separate library that intercepted functions used by OpenSSH for remote connections with root privileges. The compromised servers, including those at Kernel.org, were used as part of a botnet for various malicious activities such as spam mailing, stealing financial information, redirecting web traffic, and other nefarious purposes.