Organisations were compromised with the custom GhostContainer backdoor through attacks that potentially exploited the high-severity Exchange Server remote code execution vulnerability.
Malicious actors have exploited Apache HTTP Server and Microsoft Exchange Server flaws to facilitate the delivery of the Linuxsys cryptocurrency mining malware and GhostContainer backdoor.
In separate attack campaigns, intrusions involving the high-severity Apache HTTP Server path traversal vulnerability, tracked as CVE-2021-41773, were launched by attackers using an Indonesian IP address to spread a next-stage shell script that retrieved Linuxsys from five legitimate websites in a bid to better conceal illicit activity, according to an analysis from VulnCheck.
Linuxsys was previously spread through the exploitation of the Atlassian Confluence Data Center and Confluence Server template injection bug, tracked as CVE-2023-22527, and the Metabase command injection issue, tracked as CVE-2023-38646, among others.
On the other hand, Asian government organisations were reported by Kaspersky to have been compromised with the custom GhostContainer backdoor through attacks that potentially exploited the high-severity Exchange Server remote code execution vulnerability, tracked as CVE-2020-0688.
With GhostContainer allowing further module downloads, malicious actors could achieve total Exchange Server compromise, said Kaspersky researchers, reported by
The Hacker News.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
