A resurgent cybercriminal group has resumed activity after an absence of nearly two years, armed with a new bot-driven tool that self-multiplies – potentially putting thousands of computer servers across Europe at risk.
The Outlaw Hacking Group – thought to have gone dark in 2020 after debuting two years – was detected by Israeli cybersecurity firm CYE, which revealed the details to cybernews.
CYE conducted digital forensics on a client company’s computers in February, identifying a two-pronged vector using malicious software that simultaneously launches SSH brute force attacks on servers while hijacking them for crypto mining purposes. The last IP identified by CYE to have been used as a platform for the attack launch was 220.127.116.11 – officially recognized as malicious by digital watchdog VirusTotal.
“We realised that it was the Outlaw group because it was using the same TTPs [tactics, techniques, and procedures],” said Eli Smajda, cybersecurity analyst at CYE. “What they do normally is attack servers around the world – especially in Europe.”
Although the gang’s TTPs remained essentially unchanged, it appears to have upgraded its toolkit to better evade antiviral and other security software. But the worst aspect of Outlaw’s resurgence is the hybrid approach it now appears to be taking, a dangerous combination of human and bot-driven attack vectors.
“When we realised it was the Outlaw group we started to research them,” said Smajdi. “The last time they were seen was in 2020, but what was even more interesting was that none of the tools we found were familiar.”
“Beside the crypto mining and SSH attacks, they also installed the Linux rootkit XORDDOS, which knows how to launch large-scale DDOS attacks and can do other things like steal information,” said Smajda. “They’ve changed the way they behave – we saw them trying to attack thousands of targets across Europe.”
He clarified that a cursory examination of infected IPs revealed many that were indexed to European companies. Moreover, Outlaw has developed some kind of mechanism that deletes and downloads files before moving on to target further protocols, essentially making it a self-multiplying attack vector.
“It keeps on going, and I don’t know if it stops or where it stops – but it looks like it’s always feeding itself with new IPs and trying to attack as much as it can,” said Smajda. “So what we can conclude from that is we just saw the beginning of the comeback of Outlaw – and it’s attacking Europe.”
He added that CYE had acted quickly enough to save its client, but he warned that the Outlaw group had probably launched successful attacks of the same type elsewhere. “It’s not targeting a specific server because it’s always trying to spread out,” he said.
Smajdi said he believed the attack was probably being manually coordinated by members of the Outlaw group, but that it was also employing bots to self-multiply.
“It looks like it’s semi-automatic, but I think there is a lot of manual operation. The IPs are not just random, they have been pre-selected. [The attackers] know what they are doing.”
He added: “I thought, in the beginning, it was just bots talking to each other, but you can see that the attacker did things on the server like creating and running batch files, so it’s not [fully] automated.”
Smajdi stressed that one key vulnerability the Outlaw Hacker Group will seek to exploit are Linux servers, which he claimed had long been overrated in terms of security. His client had benefited from having about 70% of its otherwise vulnerable Linux servers protected with a specially adapted version of Microsoft Defender software.
How to stay safe
To forestall any attacks, businesses in Europe using Linux servers should install the software and disable login using name and password credentials, allowing access only via SSH keys to prevent root login from outside company networks.
He added the Outlaws were using “cron jobs” – legitimate programs used to schedule digital tasks on a computer – to install malicious SSH keys of their own on targeted files, allowing unauthorized access to password-protected computers. As such, he urged businesses to closely monitor any changes to their scheduled computer commands, block SSH management from the internet, and allow outgoing connections from servers only to approved IP addresses.
Smajdi stressed that although the Outlaws originally focused on businesses working in the automotive and financial industries when it was first spotted by data security firm TrendMicro in 2018, its new method of attack meant that potentially any business was now at risk.
“I don’t think it’s about a particular business or sector,” he said. “It’s all over – if you are vulnerable, you will be affected.”
More from Cybernews:
Subscribe to our newsletter