"Kobalos – A Complex Linux Threat to High Performance Computing Infrastructure"
Cybersecurity researchers at ESET researchers have discovered a new form of malware that predominantly targets high-performance computing (HPC) clusters. The malware dubbed Kobalos is portable to Linux, BSD, Solaris, and possibly AIX and Windows operating systems. Kobalos is said to be a generic backdoor as it contains broad commands that do not reveal its attackers' intent. The malware grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other servers infected by Kobalos. One way the operators have reached a Kobalos-infected machine is by embedding the malware in the OpenSSH server executable and triggering the backdoor code if the connection comes from a specific TCP source port. Kobalos is unique because the code for running a C&C server is in the malware itself. The operators can turn any compromised server into a C&C server through a single command. The researchers have found that in most systems infected with Kobalos, the SSH client is compromised to steal credentials. ESET researchers recommend enabling two-factor authentication on SSH to mitigate the Kobalos threat since one of the ways this malware propagates to different systems is by using stolen credentials. This article continues to discuss the capabilities, targets, propagation, and remediation of the unique multiplatform malware Kobalos.