Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Linux Systems. Show all posts

Bootkitty: The Game-Changing Malware Targeting Linux Systems

 

This malware, named Bootkitty, introduces a new method of attacking Linux, which has traditionally been considered safer from such stealthy threats compared to Windows. Bootkits are highly dangerous because they infect a computer’s boot process, loading before the operating system starts. 

This allows them to take deep control of a system while avoiding detection by traditional security tools.   

Bootkitty specifically targets certain versions of Ubuntu Linux by bypassing critical security checks during system boot.   

How Bootkitty Works  


ESET discovered Bootkitty in November 2024 when a suspicious file, bootkit.efi, was uploaded to VirusTotal. The malware uses advanced techniques to bypass kernel signature verification and inject malicious components during the system boot process.   

It relies on a self-signed certificate, meaning it won’t function on systems with Secure Boot enabled.   The malware hooks into UEFI security protocols and GRUB bootloader functions, disabling key security checks and loading malicious modules into the Linux kernel.  Bootkitty also forces a malicious library to load into system processes upon startup.   

However, the malware is not without flaws.  It only works on specific GRUB and kernel versions, which limits its effectiveness.  It can cause system crashes due to compatibility issues.   

During their investigation, researchers also found another suspicious file, BCDropper, likely associated with Bootkitty. BCDropper installs a rootkit named BCObserver, which provides stealthy control by hiding files, processes, and open ports on the infected system.   

Growing Threat to Linux   


Although Bootkitty is not yet fully developed or actively deployed in real-world attacks, its discovery is concerning. It signals that cybercriminals are increasingly targeting Linux as more businesses rely on it for critical operations.  

To help organizations defend against Bootkitty, ESET has published indicators of compromise (IoCs) on GitHub.   

Recommendations for Protection   


  • Enable Secure Boot: Since Bootkitty cannot operate with Secure Boot enabled, this is a crucial defense. 
  • Update Security Tools: Keeping antivirus and other security software up to date can help detect and block new threats.  

This discovery underscores the growing sophistication of Linux-targeted malware and the need for robust security practices to safeguard critical systems.

Several Vulnerabilities were Discovered in the Snap-Confine Function on Linux Systems

 

Security researchers from Qualys uncovered various flaws in Canonical's Snap software packaging and deployment system. Bharat Jogi, head of vulnerability and threat research at Qualys, revealed in a blog post that they discovered many vulnerabilities in the snap-confine function on Linux operating systems, "the most important of which can be abused to escalate privilege to gain root rights." 

Canonical created Snap, a software packaging and distribution mechanism for operating systems that use the Linux kernel. The packages, known as snaps, and the tool used to use them, snapd, are compatible with a variety of Linux distributions and enable upstream software developers to deliver their applications directly to users. Snaps are standalone applications that run in a sandbox and have mediated access to the host system. Snap-confine is a software that snapd uses internally to build the execution environment for snap applications. 

If this vulnerability is successfully exploited, any unprivileged user can get root privileges on the vulnerable system. Qualys security researchers were able to independently validate the vulnerability, create an exploit, and get full root access on default Ubuntu installations. Canonical cooperated in responsible vulnerability disclosure and coordinated with both vendor and open-source distributions to announce this newly identified vulnerability as soon as the Qualys Research Team confirmed it. 

Canonical, the publisher of Ubuntu, said in a statement that they tried to ensure that the subsystems on which the snap platform is based are utilised safely throughout the development process. They pointed out that, because of automatic refreshes, the majority of snap-distributed platform installations around the world have already been updated.

In addition, Qualys detected six more vulnerabilities. They detailed each vulnerability and asked all users to patch as soon as feasible. “Unfortunately, such a modern confinement platform involves many subsystems, and sometimes we make mistakes. Thankfully, Canonical and Ubuntu are part of a large community that includes competent security researchers. Recently, Qualys informed us that one of the tools a part of the snap platform contains a security issue,” a Canonical spokesperson said. 

“In their words: Discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu), because snap-confine uses a very defensive programming style, AppArmor profiles, seccomp filters, mount namespaces, and two Go helper programs,” the spokesperson added.

Attackers use Python Ransomware to Encrypt VMware ESXi Servers

 

Researchers uncovered a new Python ransomware from an unnamed gang that attacks ESXi servers and virtual machines (VMs) with "sniper-like" speed. Sophos stated on Tuesday that the ransomware is being used to infiltrate and encrypt virtual machines housed on an ESXi hypervisor in operations that take less than three hours from start to finish. 

In a press release accompanying his in-depth report, Andrew Brandt, principal researcher at Sophos, said, “This is one of the fastest ransomware attacks Sophos has ever investigated, and it appeared to precision-target the ESXi platform.” 

The Python coding language is rarely used for ransomware, according to Brandt. But, he continued, its use makes sense because Python comes pre-installed on Linux-based systems like ESXi, allowing Python-based attacks on these systems. 

The assault used a custom Python script that, when run on the target organization's virtual machine hypervisor, put all virtual machines offline. According to Sophos' security analysts, the attackers were swift to deploy the ransomware, the encryption process began about three hours after the initial intrusion. 

The attackers gained initial access using a TeamViewer account that did not have multi-factor authentication enabled and was running in the background on a computer owned by a user with Domain Administrator credentials. According to Sophos, the attackers logged in 30 minutes after midnight in the organization's time zone, then downloaded and used a tool to discover targets on the network, which led them to a VMware ESXi server. 

At roughly 2 a.m., the attackers used the built-in SSH service ESXi Shell to get into the server, which can be enabled on ESXi servers for administration purposes. The attackers logged into the ESXi Shell three hours after the network was first scanned, copied the Python script, and then ran it for each datastore disc volume, encrypting the virtual disc and settings files for virtual machines. 

“The script contains variables that the attacker can configure with multiple encryption keys, email addresses, and where they can customize the file suffix that gets appended to encrypted files,” Brandt wrote.

Sophos investigators discovered several, hardcoded encryption keys as well as a method for creating even more encryption key pairs when traversing through the code. Normally, an attacker would just need to insert the attacker's own 'public key,' which would be used to encrypt files on the targeted computer(s), according to Brandt. However, it appears that each time this ransomware is launched, it generates a new key.

Threat Actors Abuse Top 15 Flaws Millions of Times to Target Linux Systems

 

Researchers at Trend Micro, have identified and flagged nearly 14 million Linux-based systems that are directly exposed to the internet, making them a lucrative target for attackers to deploy malicious web shells, ransomware, coin miners, and other Trojan horses. 

The U.S.-Japanese company published a detailed analysis on the Linux threat setting, highlighting the top threats and flaws that affected the operating system in the first half of 2021, based on the data gathered from honeypots, sensors, and anonymized telemetry.

The company, which discovered nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for 29% of the share. 

Furthermore, researchers examined more than 50 million events from 100,000 unique Linux hosts and discovered 15 different security weaknesses that have been actively exploited in the wild or have a proof of concept (POC) - 

• CVE-2017-5638 (CVSS score: 10.0) – Apache Struts 2 remote code execution (RCE) vulnerability 

• CVE-2017-9805 (CVSS score: 8.1) – Apache Struts 2 REST plugin XStream RCE vulnerability 

• CVE-2018-7600 (CVSS score: 9.8) – Drupal Core RCE vulnerability. 

• CVE-2020-14750 (CVSS score: 9.8) – Oracle WebLogic Server RCE vulnerability 

• CVE-2020-25213 (CVSS score: 10.0) – WordPress File Manager (wp-file-manager) plugin RCE vulnerability 

• CVE-2020-17496 (CVSS score: 9.8) – vBulletin ‘subwidgetConfig’ unauthenticated RCE vulnerability 

• CVE-2020-11651 (CVSS score: 9.8) – SaltStack Salt authorization weakness vulnerability 

• CVE-2017-12611 (CVSS score: 9.8) – Apache Struts OGNL expression RCE vulnerability 

• CVE-2017-7657 (CVSS score: 9.8) – Eclipse Jetty chunk length parsing integer overflow vulnerability

• CVE-2021-29441 (CVSS score: 9.8) – Alibaba Nacos AuthFilter authentication bypass vulnerability 

• CVE-2020-14179 (CVSS score: 5.3) – Atlassian Jira information disclosure vulnerability 

• CVE-2013-4547 (CVSS score: 8.0) – Nginx crafted URI string handling access restriction bypass vulnerability 

• CVE-2019-0230 (CVSS score: 9.8) – Apache Struts 2 RCE vulnerability 

• CVE-2018-11776 (CVSS score: 8.1) – Apache Struts OGNL expression RCE vulnerability 

• CVE-2020-7961 (CVSS score: 9.8) – Liferay Portal untrusted deserialization vulnerability 

To make matters worse, the 15 commonly used Docker images on the official Docker Hub repository are noticed to port flaws that span across a python, node, WordPress, golang, Nginx, Postgres, influxdb, httpd, MySQL, Debian, Memcached, Redis, mongo, centos, and rabbitmq, underscoring the need to protect and secure containers threats during the development stage.

“Consumers and companies need to often utilize security finest techniques, which include using the security by style and design technique, deploying multilayered digital patching or vulnerability shielding, using the theory of the very least privilege, and adhering to the shared obligation product,” the researchers explained.