Roboto Botnet Targets Servers Running Webmin by Exploiting CVE-2019-15107

A new botnet is being spread among Linux-based servers running the system configuration tool Webmin. Dubbed as Roboto by Qihoo 360’s Netlab team, who tracked the botnet over a three-month period, it exploits CVE-2019-15107, a remote code execution vulnerability that could potentially allow an attacker to execute malicious commands with root privileges. Although this bug has since been patched by Webmin developers starting with version 1.930 (released on August 17, 2019), servers running versions 1.882 to 1.921 are at risk of being infected by the Roboto botnet.

Numerous features, spreads via peer-to-peer connections

According to Netlab’s analysis, Roboto comes with multiple capabilities: distributed denial-of-service (DDoS); reverse shell functionalities; collection of system and network information; execution of system commands; running encrypted files downloaded from a command-and-control (C&C) server; uploading data to the C&C server; uninstalling itself. It also uses a number of algorithms for securing its components and its peer-to-peer (p2p) network. In addition, the researchers mentioned that it is likely that the botnet comes with vulnerability scanning and control modules.

Despite Roboto being able to perform four different types of DDoS attacks (ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood), the researchers were unable to find any trace of an actual DDoS attempt occurring. It is possible that the threat actors behind the botnet are concentrating on growing it in size before attempting an attack.

An interesting aspect of Roboto is that it does not use a centralized method for spreading itself to other machines by receiving commands directly from its C&C server. Instead, it uses a p2p system in which commands are sent directly from one machine to another.

Recommendations and Trend Micro solutions

Organizations running the affected Webmin versions should update their apps to the latest iteration (1.930 at the time of writing) that contains a fix for CVE-2019-15107. Given the prevalence of malware variants that exploit vulnerabilities, it is highly recommended that companies update their software and systems to the latest versions to minimize the chances of their own machines being infected.

Given the popularity of tools like Webmin in software development, organizations are also encouraged to strengthen their overall security by using technology such as Trend Micro DevOps security solutions, which bake security into the development process, allowing for more efficient development cycles while minimizing human touch points and errors.  

Businesses can also consider the Trend Micro™ Deep Discovery™ solution, which  provides detection, in-depth analysis, and proactive response to attacks that use exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect attacks even without any engine or pattern update. 

It also includes the Trend Micro Deep Discovery Inspector, which protects customers from attacks that exploit CVE-2019-15107 via the following DDI rule:

  • 4204: CVE-2019-15107 WEBMIN RCE Exploit - HTTP (Request)

The Trend Micro Deep Security™ solution also protects systems and users from threats targeting CVE-2019-15107 via the following Deep Packet Inspection (DPI) rule:

  • 1010043-Webmin Unauthenticated Remote Code Execution Vulnerability (CVE-2019-15107)

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.