Security News > 2023 > October > Qubitstrike attacks rootkit Jupyter Linux servers to steal credentials
Hackers are scanning for internet-exposed Jupyter Notebooks to breach servers and deploy a cocktail of malware consisting of a Linux rootkit, crypto miners, and password-stealing scripts.
In a new campaign called 'Qubitstrike,' the threat actors download malicious payloads to hijack a Linux server for cryptomining and to steal credentials for cloud services, such as AWS and Google Cloud.
Qubitstrike attacks are believed to begin with a manual scan for exposed Jupyter Notebooks, followed by a CPU identification to evaluate its mining potential.
The Qubitstrike scripts also install the open-source Diamorphine rootkit for Linux, which is used to hide the presence of any running scripts and malware payloads.
"Diamorphine is well-known in Linux malware circles, with the rootkit being observed in campaigns from TeamTNT and, more recently, Kiss-a-dog," explains the Cado report.
Qubitstrike searches for credentials on the compromised endpoint and sends them back to its operators using the Telegram Bot API. Specifically, the malware iterates through a list of 23 directories that usually host credentials for files named "Credentials," "Cloud," "Kyber-env," and others.
News URL
Related news
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Over 3 million mail servers without encryption exposed to sniffing attacks (source)
- Over 660,000 Rsync servers exposed to code execution attacks (source)
- Clone2Leak attacks exploit Git flaws to steal credentials (source)