Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Linux Security. Show all posts

New Linux Play Ransomware Variant Targets VMware ESXi Systems

 

Attacks with a new Play ransomware variant for Linux have been deployed against VMware ESXi systems, most of which have been aimed at the U.S. and at organizations in the manufacturing, professional services, and construction sectors, according to The Hacker News.

Such a novel Play ransomware version was hosted on an IP address that also contained the WinSCP, PsExec, WinRAR, and NetScan tools, as well as the Coroxy backdoor previously leveraged by the ransomware operation, indicating similar functionality, an analysis from Trend Micro revealed. However, additional examination of the payload showed its utilization of a registered domain generation algorithm to bypass detection, a tactic similarly used by the Prolific Puma threat operation. 

"ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations. The efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their lucrativeness for cybercriminals," said researchers. Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target VMware ESXi environments.

"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a report published Friday.

Play, which arrived on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. According to estimates released by Australia and the U.S., as many as 300 organizations have been victimized by the ransomware group as of October 2023.

Statistics shared by Trend Micro for the first seven months of 2024 show that the U.S. is the country with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands. Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period.

The cybersecurity firm's analysis of a Linux variant of Play comes from a RAR archive file hosted on an IP address (108.61.142[.]190), which also contains other tools identified as utilized in previous attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

"Though no actual infection has been observed, the command-and-control (C&C) server hosts the common tools that Play ransomware currently uses in its attacks," it said. "This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs)."

The ransomware sample, upon execution, ensures that it's running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including VM disk, configuration, and metadata files, and appending them with the extension ".PLAY." A ransom note is then dropped in the root directory.

Further analysis has determined that the Play ransomware group is likely using the services and infrastructure peddled by Prolific Puma, which offers an illicit link-shortening service to other cybercriminals to help them evade detection while distributing malware. Specifically, it employs what's called a registered domain generation algorithm (RDGA)

Unveiling the XZ Utils Backdoor: A Wake-Up Call for Linux Security

 

The recent discovery of a backdoor in the XZ Utils, a vital tool for lossless data compression on Linux, has sent shockwaves through the tech community. This revelation poses a significant risk to nearly all Linux systems, prompting urgent concerns about cybersecurity and system integrity. 

The Common Vulnerabilities and Exposures (CVE) system, a reference for publicly known information-security vulnerabilities, assigned a severity score of 10/10 to the Linux XZ Utils backdoor. This rating underscores the gravity of the situation and underscores the urgent need for action. 

The initial detection of the backdoor was made by Andres Freund, a PostgreSQL developer at Microsoft. Freund noticed unusual SSH login delays and CPU usage spikes on a Debian Linux system, leading to an investigation that uncovered the presence of the backdoor in the XZ Utils. This discovery exposed countless Linux servers and workstations to potential attacks, highlighting the widespread impact of the vulnerability. 

The backdoor was cleverly concealed within binary files in the XZ Utils’ test folder, encrypted using the XZ library itself, making it difficult to detect. While systems running Debian or Red Hat Linux distributions were particularly vulnerable, Arch Linux and Gentoo Linux appeared to be spared due to their unique system architectures. The malware exploited an audit hook in the dynamic linker, a fundamental component of the Linux operating system, enabling attackers to execute code remotely at the system level. 

This capability granted them full control over compromised systems, posing severe risks such as data theft, system disruption, and the deployment of additional malware or ransomware. Further investigations revealed that the breach of the XZ repository was a sophisticated and well-coordinated effort, likely involving multiple individuals. This complexity raises concerns about the extent of the damage and the potential for other undiscovered vulnerabilities. 

The attack's sophistication suggests a deep understanding of the Linux ecosystem and the XZ Utils, highlighting the need for enhanced security measures in open-source software development. Immediate steps, such as updating to patched versions of XZ Utils or reverting to safe earlier versions, are crucial for system security. This incident serves as a wake-up call for the Linux community to reassess its security practices and strengthen defenses against future attacks. 

Rigorous code reviews, increased use of security auditing tools, and fostering transparency and collaboration among developers and security researchers are essential steps to mitigate similar threats in the future. As the tech community grapples with the implications of this backdoor, ongoing research is underway to determine the full extent of the threat. This incident underscores the critical importance of system security and the need for continuous vigilance against evolving cyber threats. Together, we must learn from this experience and work towards building a more secure and resilient Linux ecosystem.

Here's Why Cybercriminals are Targeting Linux Operating Systems

 

Internal strife is common among ransomware gangs. They argue, they fight, and they establish allies only to rapidly break them. Take, for instance, the leak of malware code from Babuk, which was compromised in 2021 by hackers enraged at being duped by the infamous ransomware gang. 

The outcomes of this intramural warfare are frequently fruitful for cybersecurity experts. Ten other ransomware gangs used the code to attack VMware and ESXI servers after that, and a number of versions were produced that researchers have been busy updating ever since. 

However, what made this particular family of malware noteworthy was that it specifically targeted Linux, which has quickly become a favourite of developers working on creating virtual machines for cloud-based computer systems, hosting for live websites, or IoT devices. With an estimated 14 million internet-facing gadgets, 46.5% of the top million websites by traffic, and an astounding 71.8% of IoT devices using Linux on any one day, its use has increased significantly in recent years. 

That's excellent news for advocates of open-source software development, for whom Linux has always served as an illustration of what can be accomplished when coding communities work together without being constrained by anything as odious as a corporate culture or a profit motivation. 

It's also really alarming for some cybersecurity specialists. Not only is there a significant dearth of ongoing research into the security of Linux-based systems in comparison to those based on more mainstream operating systems, but there is also no official, overarching method for patching the vulnerabilities in this OS. Instead, as befits an open-source product, 'flavours' of Linux are patched on an ad hoc basis by developers with time and intellect to spare - a valuable resource in the face of a real tsunami of cybercrime. Attackers are taking note. AtlasVPN discovered over 1.9 million new malware threats last year, representing a 50% rise year on year.

Shifting trend 

It wasn't always like this. Bharat Mistry recalls a time when hackers were more interested in cracking open old Windows computers. "I believe cybercriminals stayed away because they believed the popularity wasn't there," says Trend Micro's technical director for the UK and Ireland. Linux had a reputation for being secure by design, with reduced default access levels and other characteristics designed to hinder the easy spread of malware. "But over the last six years, certainly with cloud usage, it's [usage has] exponentially grown," says Mistry, increasing the amount of possible vulnerabilities. 

According to Mistry, this is largely due to the fact that it offers a cheap and cheerful alternative to the dominant OS brands, with many different flavours of unlicensed Linux accessible. "When you look at things like web servers that are hosted in the cloud, [why] should I pay for a Windows licence?" Mistry asks, speaking from the perspective of a savvy, money-conscious company. A Linux alternative is "as cheap as chips and does exactly what I need it to do." I can install Apache on it... and have the performance I want without the extra cost." 

Unfortunately, if an operating system is designed and maintained according to open source principles, hackers looking to exploit it can simply source it on GitHub and other software forums. Ensar Seker, for one, is concerned about the consequences for the use of virtual machines (VMs) in the cloud. "Virtual machines often lack the same level of security monitoring as physical systems, making it easier for attackers to go undetected for a longer period of time," says the chief information security officer at digital risk protection platform SOCRadar. 

The fact that the vast majority of software on IoT devices is based on Linux should also be cause for concern, according to the researcher, especially considering the rate of development expected for the smart device market over the next decade. More concerningly, Mistry continues, "we're seeing Linux being used more and more in critical systems," owing to how easy it is to branch and customise variants of the OS to suit particular jobs compared to its mainstream counterparts.

Given hackers' access to the source code of the operating system, malware designed to break open-source versions of these systems is frequently created to a higher standard than its Windows-targeting counterparts. It's also popular among a wide range of cybercriminal gangs. Tilted Temple, a Chinese cyber group, has utilised Linux-based malware to infiltrate important national infrastructure on three continents. 

Major players in the cybercriminal underworld, such as Black Basta, Lockbit, and Hive, have all been identified as deploying targeted Linux-chomping malware to breach online infrastructure. Another such gang, RTM, has been found on dark web forums as trading in harmful, Linux-targeting software. 

It's unclear how prepared cybersecurity providers are for this new threat. After all, until recently, these companies spent far more time fixing vulnerabilities in more widespread operating systems. Far fewer have investigated how vulnerable Linux systems can be to hacking - a squandered opportunity, according to Mistry. "Everyone's been so focused on Windows over the last few years because it's been the predominant operating system that all enterprises use," he explains. "But, in the background, Linux has always been there." 

Future threats 

Mistry does not believe the current wave of Linux attacks will abate anytime soon. He feels it will be some time before consumers and developers become aware of the risks and alter their behaviours. "The vulnerabilities in Linux platforms are massive," Mistry adds. "No one is actively controlling the vulnerabilities and patching them on a daily basis." 

Does this imply that its open-source framework contributes directly to Linux's lack of security? Certainly less, says Mistry. "You've got the openness, you've got the mass flexibility - the problem is when it comes to support," explains Mistry. 

Organisations developing new software on Linux should educate themselves on the trade-offs involved in adopting the operating system. The communities of developers modifying and patching this or that variant of Linux have "got people who will do things, but there's no kind of set body to say, 'This is the kind of direction we're going [in.]," adds Mistry, let alone any built-in regime mandating security standards. As a result, firms would be advised, according to the TrendMicro researcher, to install their own regime or create a viable audit trail for products built on some of the more unusual varieties of Linux. 

So, are the days of Linux as a popular OS alternative numbered? Probably not in the short term, and many cybersecurity vendors are becoming aware of the threat posed by Linux-based systems, according to Mistry. Nonetheless, according to Seker, each new security event involving Linux-targeting malware only serves to erode its reputation as an economical, secure, and open-source alternative to the monolithic Windows and iOS. "Even a single high-profile incident can quickly change a perception if the security community does not respond to threats promptly and effectively," he says.

Inherent Vulnerability in Linux Puts Russian OS at Risk

 

The vulnerability found in all distributions of the Linux operating system also puts at risk Russian OS based on it, which are used in banks, enterprises, and government agencies. Developers of Russian OS on Linux have already begun to publish updates that close the security gap. But the problem may not be an isolated one, since few people have been engaged in comprehensive research of the Linux source code. 
The vulnerability, called PwnKit, was discovered by the American company Qualys. Experts pointed out that the breach allows attackers to easily obtain administrator rights. The vulnerability is present in the pkexec component. The researchers claim that the vulnerability is installed by default on all Linux distributions and has existed in the pkexec component (graphical interface) since its creation, that is, almost 13 years. 

Kaspersky Lab researcher Boris Larin confirmed that the vulnerability also affected some Russian Linux distributions. The Russian developer RED SOFT, which produces the Russian Red OS based on Linux, acknowledged that the system uses a potentially unsafe module, but noted that the company regularly tests the system and has already released an update. 

It should be noted that administrator rights give unlimited opportunities to attackers, and most likely, within a year, this vulnerability will become the main tool for attacking devices running Linux. "Banks, industrial enterprises, and the public sector can be targeted," said Alexey Malynev, head of the Jet Infosystem Incident Monitoring and Response Center. 

Exploits that allow exploiting the vulnerability appeared a few hours after the information about the problem appeared. Developers have already started releasing security updates to close the gap. 

The revealed vulnerability demonstrates one of the important shortcomings of open source systems. "It seems that it is available, and everyone can check it, but in fact, few people do it, so no one has noticed the vulnerability for years," noted Pavel Korostelev, head of the Security Code product promotion department. 

Dmitry Derzhavin, head of CPI development, emphasizes that modern operating systems are millions of lines of code. "It so happened that no one has looked into this particular line until now, and there is no excuse for this oversight."

Undetected malware attacks Linux systems

A new sophisticated, unique Linux malware dubbed HiddenWasp used in targeted attacks against victim’s who are already under attack or gone through a heavy reconnaissance.

The malware is highly sophisticated and went undetected; the malware is still active and has a zero detection rate. The malware adopted a massive amount of codes from publically available malware such as Mirai and the Azazel rootkit.

Unlike Windows malware, Linux malware authors won’t concentrate much with evasion techniques, as the trend of using Anti-Virus solutions in Linux machine is very less when compared to other platforms.

However, the Intezer report shows “malware with strong evasion techniques does exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilizes strong evasion techniques and can be easily adapted by attackers.” In the past, we saw many malware focussed on crypto-mining or DDoS activity, but the HiddenWasp is purely a targeted remote control attack.

The malware is composed of a user-mode rootkit, a trojan, and an initial deployment script. Researchers spotted the files went undetected in VirusTotal and the malware hosted in servers of a hosting company ThinkDream located in Hong Kong.

While analyzing scripts, Intezer spotted a user named ‘sftp’ and hardcodes, which can be used for initial compromise and also the scripts has variable to clear the older versions from the compromised systems.

The scripts also include variables to determine server architecture of the compromised system and download components from the malicious server based on the compromised server architecture. Once the components installed, the trojan will get executed on the system.

“Within this script, we were able to observe that the main implants were downloaded in the form of tarballs. As previously mentioned, each tarball contains the main trojan, the rootkit, and a deployment script for x86 and x86_64 builds accordingly.”

Unpatched Linux Kernel Vulnerabilities Could Be Exploited For Local Dos




As of late two denial-of-service (DoS) vulnerabilities evaluated as ones with Medium severity, affected the Linux kernel 4.19.2 in addition to its previous versions. The two defects are NULL pointer deference issues that can be misused by even a local attacker if he or she wishes to trigger a DoS condition.

Tracked as CVE-2018-19406, the primary issue was observed to dwell in a Linux kernel function called kvm_pv_send_ipi, which is characterized in curve/x86/kvm/lapic.c. The defect is activated when the Advanced Programmable Interrupt Controller (APIC) delineate is not initialized correctly.
To abuse the security defect, a local attacker can utilize the already 'crafted' system calls to achieve a circumstance where the apic delineate remains uninitialized.

In a published blog post the Linux contributor Wanpeng Li reports:
“The reason is that the apic map has not yet been initialized, the testcase triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map is dereferenced”

The second vulnerability, which has been doled out the CVE number CVE-2018-19407, impacts the vcpu_scan_ioapic function that is characterized in curve/x86/kvm/x86.c. The bug is activated when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not instate effectively.

Further adds the security advisor “the vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.”

“The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed,” reads the analysis published by Wanpeng Li.

Albeit informal patches for the two blemishes were discharged in the informal Linux Kernel Mailing List (LKML) archive, however despite everything they haven't been pushed upstream.

Bug in GnuTLS allows hackers to run malicious code in Your Linux

Another major security vulnerability has been discovered in the popular cryptographic Library 'GnuTLS' that leaves Linux vulnerable to remote code execution.

GNUTLS is a free library implementing Secure Socket Layer(SSL), Transport Layer Security (TLS) and Datagram Transport Layer Security(DTLS) protocols which are used to offer secure communications.
 
"A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake." an entry posted on the Red Hat Bug Tracker reads.

Flaw: The read_server_hello function checks only whether the length of the Session ID does not exceed incoming packet size but it fails to ensure it doesn't exceed maximum length of Session ID.

A malicious server could exploit this vulnerability by sending a very long Session ID value and run a malicious code in "a connecting TLS/SSL client using GnuTLS".

In March, a different vulnerability was patched in GnuTLS Library that could have allowed attackers "to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker"

I've updated my Linux, Did you?

Update your Ubuntu 12.10 to fix the Linux Kernel vulnerabilities


Canonical on May 2 released security advisory to fix ten Linux kernel vulnerabilities that affect the Ubuntu 12.10 version. 

The list of vulnerabilities include Information leak in the Linux kernel's UDFfile system implementation ((CVE-2012-6548), Information leak in the Linux kernel's ISO9660 CDROM file system driver(CVE-2012-6549), Integer overflow in the Direct Rendering Manager (DRM), subsystem for the i915 video driver in the Linux kernel(CVE-2013-0913), Denial of service flaw in guest OS time updates in the Linuxkernel's KVM((CVE-2013-1796)).

Other vulnerabilities are Use after free error in guest OS time updates in the Linux kernel;s KVM (CVE-2013-1797), Flaw in the way KVM emulated the IOAPIC (CVE-2013-1798), Escalate privileges vulnerability in the Linux kernel's ext3 filesystem(CVE-2013-1848) , Buffer overflow was discovered in the Linux Kernel's USB subsystem for devices reporting the cdc-wdm class (CVE-2013-1860), information leak in the Linux kernel's dcb netlink interface (CVE-2013-2634) ,kernel stack information leak in the RTNETLINK component(CVE-2013-2635).

To patch these vulnerabilities, Ubuntu users are urged to update your system to the following package version: linux-image-3.5.0-28-generic 3.5.0-28.48 .

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.