Disclaimer: We may earn a commission if you make any purchase by clicking our links. Please see our detailed guide here.

Follow us on:

Google News
Whatsapp

Attacks On Supercomputers – a New Threat That May Turn the World Upside Down

David Balaban
David Balaban
I am a computer security researcher with over 18 years of experience in malware analysis and antivirus software evaluation. I run the Privacy-PC.com and MacSecurity.net projects which present expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking.

Join the Opinion Leaders Network

Join the Techgenyz Opinion Leaders Network today and become part of a vibrant community of change-makers. Together, we can create a brighter future by shaping opinions, driving conversations, and transforming ideas into reality.

ESET researchers have revealed detailed info about a new virus named after the Greek mythology spirit Kobalos. After thorough analysis and data search, ESET stated that Kobalos strikes high-performance computers (HPC) on academic and research networks.

Also, this malware targets web servers with high-functionality clusters and a lot of encrypted information. The malicious code grants remote access to the system as well as creates terminal sessions with other Kobalos-infected servers.

According to the CERN Computer Security Team, the malware, and the techniques it applies in these attacks differ from all known viruses. The main threat to security is the inability of most admins to detect and delete malware due to the obfuscated code. However, after a thorough analysis of Kobalos, cybersecurity experts revealed that it is possible to determine if a system is attacked by Kobalos by connecting to the SSH server using a specific TCP source port.

Stolen Credentials

The /usr/bin/ssh file is being replaced with a modified executable that collects usernames, passwords, and target hostnames, and later writes this data to an encrypted file. Hackers later use stolen credentials to install Kobalos on the targeted servers. To avoid being hacked, admins need to set multi-factor authentication (MFA) for accessing SSH servers.

Kobalos algorithm

Kobalos has a built-in code for launching and setting up a C&C server. The virus is a semi-generic backdoor. It uses special techniques in order not to reveal the hackers or their intentions. Kobalos grants remote access to the system enabling attackers to spawn terminal sessions. The malware also can establish connections via proxy servers to all the infected servers.

Connection methods

Kobalos is integrated into the OpenSSH server executable and launches the malicious code if the connection arrives from a specific TCP port.  But it has and may apply other variations of connectivity not involving the built-in sshd code. The most common tactics used by Kobalos are as follows:

  • Connect to a C&C server that will act as a conductor.
  •  Inbound connection on a given TCP port.

When infected by Kobalos, any server can serve as a Command & Control server and at the same time as a data storage. Even if IPs and proxies are initially hardcoded and encrypted, Kobalos operators can create and generate new C&C servers that use data of newly infected machines.

Sophisticated credential-stealing technique

As was stated by the ESET experts, anyone who uses the SSH client on a compromised machine will have their credentials stolen. This method of stealing personal data is different from any other malicious OpenSSH clients. The hackers gradually get a full database of all people registered.

The sophistication of this method lies in an inability to track the IPs and servers from where the attacks are coming. There is nothing similar to earlier ways of credential stealing. For example, strings are left unencrypted, and stolen usernames and passwords are simply written to a disk file.

Kobalos is written for Linux, but its slightly modified version may infect Mac systems too. Most of its code is created using a single-function coding algorithm, so the virus can perform subtasks and create an interconnected chain-code environment. Additionally, all strings and links are encrypted, which makes it more challenging to cure and delete.

Using the backdoor requires a private 512-bit RSA key and a 32-byte-long password. Once authenticated, RC4 keys are exchanged, and the rest of the communication is encrypted by the agile chain algorithm. Also, it launches connections in a chaotic manner.

How to detect the malware?

On the network level, it is possible to identify the Kobalos malware by separating non-SSH traffic on the port ascribed to an SSH server. Whenever this virus communicates with an operator, no SSH banner exchange occurs, neither from the server nor the client.

Again, it is strongly advised to use multi-factor authentication for connecting to SSH servers. MFA helps mitigate the threat since in most cases this malware uses stolen credentials to propagate to new servers and systems.

Final thoughts

The intentions of Kobalos operators are still a mystery. No other virus strain, except for the SSH private data stealer, was found by system admins on the infected machines. The protocol Kobalos uses is tightly contained in a single functioning code. This virus is really a threat that is hard to detect and kill.

High-performance computers or simply supercomputers should be thoroughly protected. New studies reveal more and more threats that may cause serious problems. Let us hope that researchers will create the right protection from the Kobalos. All your knowledge and comments on the subject are welcome. Secure your data with constant software updates and by using multi-factor authentication.

Join 10,000+ Fellow Readers

Get Techgenyz’s roundup delivered to your inbox curated with the most important for you that keeps you updated about the future tech, mobile, space, gaming, business and more.

Recomended

Partner With Us

Digital advertising offers a way for your business to reach out and make much-needed connections with your audience in a meaningful way. Advertising on Techgenyz will help you build brand awareness, increase website traffic, generate qualified leads, and grow your business.

Power Your Business

Solutions you need to super charge your business and drive growth

More from this topic