Breach, Data Security, Incident Response, Malware, TDR

Linux backdoor planted on company network to monitor traffic, steal data


While investigating the breach of a large internet hosting provider, researchers discovered a Linux backdoor capable of stealing login credentials from secure shell (SSH) connections.

Symantec researchers detected in June that the trojan, dubbed “Fokirtor,” was on the unnamed company's network. The May breach exposed the login credentials of customers, according to a Wednesday blog post by the security firm.

While passwords were hashed and salted by the company, Symantec revealed that by leveraging Fokirtor attackers could have accessed the encryption key that secured the organizations' internal communications.

The Fokirtor trojan targets users running the Linux operating system, an open source platform that is generally known to dispatch speedier patches given its community of tech-savvy users.  

“This backdoor allowed an attacker to perform the usual functionality – such as executing remote commands – however, the backdoor did not open a network socket or attempt to connect to a command-and-control server,” the blog post said, later adding that the trojan, instead, injected itself into the organization's SSH process to extract encrypted commands.

Fokirtor could ultimately allow an attacker to execute commands of their choosing and even collect data from individual SSH connections, like the connecting hostname, IP address, port and SSH key used to authenticate users.

On Friday, Satnam Narang, a researcher on the Symantec Security Response team, told via email that the attackers realized they would need the “sophisticated” trojan to conceal their access to the target's network.

“The attackers understood that the target environment was well protected, so they needed to find a means to avoid a potential security review in order to remain hidden,” Narang wrote. “Therefore, they crafted this stealthy backdoor to camouflage itself within the secure shell (SSH) and other processes."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.