Ebury Malware Campaign Compromises Over 400,000 Servers, Targets Bitcoin and Ethereum Nodes
Ebury, a notorious server-side malware campaign active since 2009, has compromised over 400,000 Linux, FreeBSD, and OpenBSD servers over the years. In recent times, the group has shown a particular interest in Bitcoin and Ethereum nodes, with over 100,000 servers still compromised as of late 2023.
Ebury's primary targets are hosting providers, with servers compromised for web traffic redirection, spam, and adversary-in-the-middle attacks. The group uses an OpenSSH backdoor and a credential stealer to gain root access and control infected systems. Ebury operators have been known to steal SSH credentials, redirect web traffic, and perform DDoS attacks. In 2017, Ebury operator Maxim Senakh was sentenced to 46 months in prison in the US.
The group's techniques, tactics, and procedures (TTPs) have evolved to include credit card compromise and cryptocurrency theft. Bitcoin and Ethereum nodes have become attractive targets due to their high availability, valuable data, and often lax security practices. Over 200 such nodes were compromised between February 2022 and May 2023. Cybersecurity firm ESET reports that Ebury's use by threat actors is still growing, with record-breaking activity in 2023. In August alone, over 6000 compromised servers were recorded.
Ebury's persistent and evolving threats highlight the importance of robust security measures for server administrators. Regular updates, strong authentication, network segmentation, and intensive monitoring are crucial to protect against such campaigns. As Bitcoin and Ethereum nodes continue to be targeted, their operators must remain vigilant and implement appropriate security practices.
