Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Linux. Show all posts
Threat Landscape
Linux malware Misconfiguration Security flaw Threat Landscape

Stealthy Malware Has Infected Thousands of Linux Systems Since 2021

 

Aqua Security researchers have raised concerns about a newly identified malware family that targets Linux-based machines in order to get persistent access and control resources for crypto mining. The malware, known as perfctl, purports to exploit over 20,000 different types of misconfigurations and known vulnerabilities and has been active for over three years. 

Aqua Security uncovered that perfctl uses a rootkit to hide itself on compromised systems, runs as a service in the background, is only active when the machine is idle, communicates via a Unix socket and Tor, installs a backdoor on the infected server, and attempts to escalate privileges. The malware's handlers have been detected deploying more reconnaissance tools, proxy-jacking software, and a cryptocurrency miner. 

The attack chain begins with the exploitation of a vulnerability or misconfiguration, followed by the deployment and execution of the payload from a remote HTTP server. Next, it copies itself to the temporary directory, terminates the old process, deletes the initial binary, and runs from the new location. 

The payload contains an attack for CVE-2021-4043, a medium-severity Null pointer dereference vulnerability in the open source multimedia framework Gpac, which it uses to get root access. The flaw was recently uploaded to CISA's Known Exploited Vulnerabilities database. 

In addition to the cryptominer, the malware was observed copying itself to numerous additional locations on the computers, dropping a rootkit and popular Linux applications modified to function as userland rootkits. It uses a Unix socket to handle local communications and the Tor anonymity network for external command-and-control (C&C). 

"All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defence mechanisms and hinder reverse engineering attempts," the company said. 

Furthermore, the malware monitors specific files and, if a user logs in, it suspends activities to conceal its presence. It also ensures that user-specific configurations are executed in Bash contexts, allowing the server to run normally. 

For persistence, perfctl alters a script such that it is executed before the server's legitimate workload. It also attempts to terminate the processes of any additional malware it detects on the infected PC. 

The deployed rootkit hooks into various functions and modifies their functionality, including changes that allow "unauthorised actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behaviour of authentication mechanisms," according to Aqua Security. 

The cybersecurity firm found three download servers linked to the attacks, as well as other websites that were likely hacked by the threat actors, resulting in the finding of artefacts used in the exploitation of vulnerable or misconfigured Linux servers. 

“We identified a very long list of almost 20K directory traversal fuzzing list, seeking for mistakenly exposed configuration files and secrets. There are also a couple of follow-up files (such as the XML) the attacker can run to exploit the misconfiguration,” the company added.
Read more »
Proxyjacking
cryptomining Linux malware Perfctl Malware Proxyjacking

Cryptomining and Proxyjacking: The Rise of Perfctl Malware


A new and highly sophisticated malware strain has emerged, posing a significant threat to millions of Linux servers worldwide. Dubbed "perfctl," this fileless malware employs advanced evasion techniques and exploits a staggering 20,000 misconfigurations in Linux servers. 

Its primary targets are unprotected or poorly configured systems, where it installs cryptomining and proxyjacking malware. 

The Anatomy of "perfctl"

Unlike traditional malware, "perfctl" is fileless, which means it doesn't rely on files stored on the disk to execute its payload. Instead, it operates entirely in the memory of the infected system, making it extremely difficult to detect and remove. Fileless malware leverages legitimate system tools and processes to carry out its malicious activities, often leaving minimal traces for security software to identify.

Perfctl specifically targets Linux servers, which are widely used in enterprise environments due to their reliability and scalability. By exploiting misconfigurations, this malware gains initial access to the system. Once inside, it deploys its payload directly into the memory, bypassing traditional antivirus and endpoint protection solutions.

Exploiting Misconfigurations

Misconfigurations are the weakness of many systems, and Linux servers are no exception. According to security experts, "perfctl" exploits around 20,000 different misconfigurations to infiltrate its targets. These misconfigurations can range from default or weak passwords to unpatched vulnerabilities and improperly set access controls.

Once the malware gains access, it uses a combination of evasion techniques to stay hidden. It can mask its presence by hijacking legitimate processes, using encryption to conceal its communication, and employing anti-forensic measures to prevent detection and analysis. This makes "perfctl" a formidable adversary for even the most advanced security solutions.

The Impact: Cryptomining and Proxyjacking

The primary goal of "perfctl" is to install cryptomining and proxyjacking malware on infected systems. Cryptomining malware uses the server's computational power to mine cryptocurrencies like Bitcoin or Monero, generating revenue for the attackers at the expense of the victim's resources. This can lead to decreased performance, increased operational costs, and potential hardware damage due to overuse.

Proxyjacking, on the other hand, involves using the compromised server as a proxy to route malicious traffic, often as part of a larger botnet. This can have serious implications for the victim's network, including reduced bandwidth, increased latency, and potential legal consequences if the server is used for illegal activities.

Mitigation and Prevention

Regularly update and patch systems: Ensure that all software, including operating systems and applications, are up-to-date with the latest security patches.

Harden server configurations: Review and harden server configurations to eliminate potential misconfigurations. This includes enforcing strong passwords, disabling unnecessary services, and setting proper access controls.

Implement advanced threat detection solutions: Use behavior-based and memory-resident threat detection solutions that can identify and respond to fileless malware activities.

Conduct regular security audits: Regularly audit systems for vulnerabilities and misconfigurations. Conduct penetration testing to identify and remediate potential weaknesses.

Educate and train employees: Ensure that IT staff and employees are aware of the latest threats and best practices for cybersecurity.

Read more »
PC
Apple Devices BitLocker encryption Cyber Security Linux Microsoft Operating system PC

Why Windows 11 Requires a TPM and How It Enhances Security

 

When Microsoft launched Windows 11 in 2021, the new operating system came with a stringent hardware requirement: the presence of a Trusted Platform Module (TPM), specifically one that meets the TPM 2.0 standard. A TPM is a secure cryptoprocessor designed to manage encryption keys and handle security-related tasks, making it a critical component for features such as Secure Boot, BitLocker, and Windows Hello. 

The TPM architecture, defined by the ISO/IEC 11889 standard, was created over 20 years ago by the Trusted Computing Group. The standard outlines how cryptographic operations should be implemented, emphasizing integrity protection, isolation, and confidentiality. A TPM can be implemented as a discrete chip on a motherboard, embedded in the firmware of a PC chipset, or built directly into the CPU, as Intel, AMD, and Qualcomm have done over the past decade. 

Most PCs manufactured since 2016 come with a TPM 2.0, as Microsoft mandated that year that all new computers shipped with Windows must have this technology enabled by default. Even some older devices may have a TPM, though it might be disabled in the BIOS or firmware settings. Intel began incorporating TPM 2.0 into its processors in 2014, but the feature was mainly available on business-oriented models. Devices built before 2014 may have discrete TPMs that conform to the earlier TPM 1.2 standard, which is not officially supported by Windows 11. 

The TPM enhances security by providing a secure environment for processing cryptographic operations and storing sensitive data, like private keys used for encryption. For example, it works with the Secure Boot feature to ensure that only signed, trusted code runs during startup. It also enables biometric authentication via Windows Hello and holds the BitLocker keys that encrypt the contents of a system disk, making unauthorized access nearly impossible. Windows 10 and 11 initialize and take ownership of the TPM during installation, and it’s not just limited to Windows; Linux PCs and IoT devices can also use a TPM. 

Apple devices employ a different design known as the Secure Enclave, which performs similar cryptographic tasks. The added level of security provided by a TPM is crucial in protecting against tampering and unauthorized data access. For those with older PCs, upgrading to Windows 11 may require enabling TPM in the BIOS or using a utility to bypass hardware checks. However, the extra security enforced by TPM in tamper-resistant hardware is an essential advancement in protecting your data and ensuring system integrity.
Read more »
ransomware attacks
Cyber Attacks Data Security Breach Financial Firm Fog Ransomware Linux MFA ransomware attacks

Protecting Against Fog Ransomware: Key Strategies and Insights

 

In August 2024, a mid-sized financial firm was targeted by a ransomware attack using compromised VPN credentials to deploy a variant called “Fog” on both Windows and Linux systems. Fortunately, the attack was detected and neutralized by Adlumin’s innovative technology, which uses decoy files as sensors to detect ransomware activity. Fog, a variant of the STOP/DJVU ransomware family first observed in 2021, exploits compromised VPN credentials to breach networks and often targets sectors like education and recreation. 

Once inside, the ransomware uses techniques such as pass-the-hash attacks to escalate privileges, disable security mechanisms, encrypt critical files like Virtual Machine Disks (VMDKs), and delete backup data. Victims are usually directed to a negotiation platform on the Tor network through a ransom note. The lack of direct ties to known threat groups suggests that Fog may originate from a new, highly skilled actor. The attackers initiated their operation by pinging endpoints and using tools like “Advanced Port Scanner” for network reconnaissance. 

They then moved laterally through the network using compromised service accounts, mapped network drives, and harvested credentials. For execution, they used the open-source tool ‘Rclone’ to transfer data and deployed ‘locker.exe’ to encrypt files. Additionally, they deleted system backups to prevent victims from restoring their data. Adlumin’s Ransomware Prevention feature played a critical role in neutralizing the attack. This technology, launched in April 2024, uses decoy files that lie dormant until ransomware activity is detected, triggering the automatic isolation of affected machines and blocking further data theft. 

The feature alerts security teams for a deeper investigation, representing a significant advancement in the fight against ransomware. After isolating compromised systems, security engineers conducted a thorough analysis to identify vulnerabilities and restore the affected systems. In the aftermath of the attack, several key measures were recommended to prevent future incidents: ensuring all VPN connections require Multi-Factor Authentication (MFA), keeping VPN software up to date, monitoring VPN access for unusual activity, and deploying automated isolation procedures when ransomware is detected. 

It is also important to protect endpoints with comprehensive security platforms capable of real-time threat monitoring and response, limit administrative privileges, conduct regular security audits, and establish effective incident response plans. Additionally, organizations should regularly back up critical data in secure environments and monitor network traffic for signs of unusual or malicious activity. These proactive steps help organizations prepare for and mitigate the impact of sophisticated ransomware threats like Fog.
Read more »
User Accounts Hacked
Cyber Attacks CyberCriminal data security Hacker attack Linux Malwares ToolKit User Accounts Hacked

Comprehensive Hacker Toolkit Uncovered: A Deep Dive into Advanced Cyberattack Tools

 

Cybersecurity researchers have recently uncovered a vast and sophisticated hacker toolkit that provides a comprehensive suite of tools for executing and maintaining cyberattacks. Found in an open directory in December 2023, the discovery offers a rare glimpse into the methodologies and tools employed by modern cybercriminals. The toolkit includes a range of batch scripts and malware targeting both Windows and Linux systems, showcasing the attackers’ ability to compromise systems, maintain long-term control, and exfiltrate data.  

Among the most significant tools identified were PoshC2 and Sliver, two well-known command and control (C2) frameworks. Although these open-source tools are typically used by penetration testers and red teams to simulate attacks and test security, they have been repurposed by threat actors for malicious purposes. The presence of these frameworks within the toolkit indicates the attackers’ intent to establish persistent remote access to compromised systems, allowing them to conduct further operations undetected. In addition to these frameworks, the toolkit contained several custom batch scripts designed to evade detection and manipulate system settings. 

Scripts such as atera_del.bat and atera_del2.bat were specifically crafted to remove Atera remote management agents, thereby eliminating traces of legitimate administrative tools. Other scripts, like backup.bat and delbackup.bat, were aimed at deleting system backups and shadow copies, a common tactic employed in ransomware attacks to prevent data recovery. Researchers from DFIR Report also noted the presence of clearlog.bat, a script capable of erasing Windows event logs and removing evidence of Remote Desktop Protocol (RDP) usage. This highlights the attackers’ emphasis on covering their tracks and minimizing the chances of detection. 

Additionally, the toolkit included more specialized tools such as cmd.cmd, which disables User Account Control and modifies registry settings, and def1.bat and defendermalwar.bat, which disable Windows Defender and uninstall Malwarebytes. The discovery of this hacker toolkit underscores the growing sophistication of cyberattacks and the need for organizations to adopt robust cybersecurity measures. With tools designed to disable critical services, delete backups, and evade antivirus software, the toolkit serves as a stark reminder of the evolving threat landscape. 

Cybersecurity experts advise organizations to implement comprehensive security strategies, including regular system updates, employee training, and advanced threat detection systems, to protect against such sophisticated attack toolkits. The presence of tools like Sliver and PoshC2 within the toolkit suggests that these servers were likely used in ransomware intrusion activities. Many of the scripts found attempted to stop services, delete backups and shadow copies, and disable or remove antivirus software, further supporting this theory. 

As cyber threats continue to evolve, the discovery of this toolkit provides valuable insights into the methods and tools employed by modern cybercriminals. Organizations must remain vigilant and proactive in their cybersecurity efforts to protect against the increasingly sophisticated tactics used by threat actors.
Read more »
Windows
AMD Linux malware Sinkclose Windows

Experts Find Sinkclose Bug in Millions of AMD Processors, Hard to Patch

Experts Find Sinkclose Bug in Millions of AMD Processors, Hard to Patch

A recently found major security flaw called 'Sinkclose' impacts virtually all of the AMD's processors released since 2006. The vulnerability allows threat actors to deeply infiltrate into a system, making it difficult to identify and eliminate the malicious software. According to experts, the problem is serious, in some cases, it would be easier to just dump the system than to fix it.

About Sinkclose Bug

But there is a good side to it, since the flaw has not been found for 18 years, chances are it hasn't been exploited. Additionally, AMD is patching its platforms to protect the affected processors, however, not all have received a patch yet. See this list for full details.

Sinkclose is known for escaping anti-viruses and persistence even after reinstalling OS. The bug allows threat actors to execute code within AMD processors' SMM (System Management System), a privileged region kept for critical firmware operations. To use the flaw, threat actors must first gain access to the system's kernel, a difficult task, but doable. But the system must already have been targeted by some other attack.

Persistent Threat

After securing the access, the Sinkclose vulnerability lets the attackers install bootkit malware that escapes detection by antivirus tools, staying hidden within the system and persists even after re-installing the OS.

The flaw uses a feature in AMD chips called TClose, which maintains compatibility with older devices. By exploiting this feature, the experts could redirect the processor to execute their code at the SMM level. The process is complicated but lets attackers with access and control over the device.

Flaw Needs Kernel-level Access

Cybersecurity experts Krzysztof Okupski and Enrique Nissim from IOActive found the Sinkclose vulnerability, they will present it at the Defcon conference."To take advantage of the vulnerability, a hacker has to already possess access to a computer's kernel, the core of its operating system," AMD said to Wired.

Experts highlight that although the Sinkclose exploit needs kernel-level access, the flaws at this level are found in Linux and Windows systems. Advanced state-sponsored hackers might already have what it takes to exploit these flaws. 

Experts suggest kernel exploits are readily available, which makes Sinkclose the second stage for the threat actors. To eliminate the malware, one must open the computer and connect to a particular part of its memory using an SPI Flash programmer, inspect the memory with caution, and then remove the malware. 

Read more »
Windows
Business Safety Cyber Security Linux Microsoft Safety Windows

Report: macOS Most Vulnerable to Endpoint Attacks Compared to Windows and Linux

 

A new report from Picus Security has unveiled a concerning vulnerability in many IT environments: a high risk of complete takeover through escalated privileges. 

Simulated attacks revealed that while organizations can typically defend against seven out of ten attacks, the persistent threat of sophisticated cybercrime syndicates leaves a substantial margin for error.

Full environment takeovers occur when attackers gain administrator-level access, enabling them to freely navigate and compromise systems. Alarmingly, Picus successfully achieved domain admin access in 40% of the tested environments.

While Linux and Windows demonstrated relatively strong defenses against endpoint attacks, macOS proved significantly more vulnerable, raising concerns about its security posture. Picus CTO Volkan Ertürk emphasized the need for increased focus on securing macOS systems, recommending the use of threat repositories like the Picus Threat Library to identify and address vulnerabilities.

The report also highlighted the prevalence of basic security lapses, with a quarter of companies using easily guessable passwords and a mere 9% effectively preventing data exfiltration. Cybercrime groups like BlackByte, BabLock, and Hive posed the most significant challenges for organizations.

“Like a cascade of falling dominoes that starts with a single push, small gaps in cybersecurity can lead to big breaches,” said Dr. Suleyman Ozarslan, Picus co-founder and VP of Picus Labs.

It's clear that organizations are still experiencing challenges when it comes to threat exposure management and balancing priorities. Small gaps that lead to attackers obtaining domain admin access are not isolated incidents, they are widespread. Last year, the attack on MGM used domain admin privileges and super admin accounts. It stopped slot machines, shut down virtually all systems, and blocked a multi-billion-dollar company from doing business for days,” Ozarslan said.

Read more »
VMware ESXi
Cyber Attacks Linux Ransomware VMware VMware ESXi

Play Ransomware Group is Targeting VMWare ESXi Environments

 

Play ransomware is the latest ransomware gang to launch a specific Linux locker for encrypting VMware ESXi virtual machines. Trend Micro, whose analysts discovered the new ransomware variation, claims the locker is designed to verify whether it is operating in an ESXi environment before executing and can bypass detection on Linux systems.

"This is the first time that we've observed Play ransomware targeting ESXi environments," Trend Micro stated. "This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations."

This has been a well-known trend for years, with most ransomware organisations turning their focus to ESXi virtual machines after companies started using them for data storage and critical application hosting due to their far more effective resource management. Taking down an organization's ESXi VMs will cause significant business disruptions and outages, whereas encrypting files and backups severely limits the victims' ability to restore compromised data.

While examining this Play ransomware sample, Trend Micro discovered that the ransomware gang leverages URL-shortening services provided by a threat actor known as Prolific Puma. 

After successfully launching, Play ransomware Linux samples will search and power down all VMs discovered in the compromised environment before encrypting files (e.g., VM disc, configuration, and metadata files), inserting the.PLAY extension to the end of each file. According to Trend Micro, the encryptor will execute a specific code to shut down all running VMware ESXi virtual machines so that they can be encrypted. 

The Play ransomware emerged in June 2022, with the first victims seeking help in BleepingComputer forums. Its operators are infamous for stealing sensitive information from compromised devices, which they then use in double-extortion attempts to force victims into paying a ransom under the threat of releasing the stolen data online.

Rackspace, the City of Oakland in California, Arnold Clark, the Belgian city of Antwerp, and Dallas County are among the high-profile victims of the Play ransomware. In December, the FBI issued a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) warning that the ransomware group had penetrated about 300 organisations worldwide until October 2023.
Read more »
VMware ESXi
Cyber Attacks Linux Ransomware TargetCompany VMware ESXi

TargetCompany’s Linux Variant is Targeting ESXi Environments

 

Researchers discovered a new Linux variation of the TargetCompany ransomware family that targets VMware ESXi setups and uses a custom shell script to distribute and execute payloads.

The TargetCompany ransomware operation, also known as Mallox, FARGO, and Tohnichi, began in June 2021 and has since focused on database attacks (MySQL, Oracle, SQL Server) against organisations mostly in Taiwan, South Korea, Thailand, and India.

In February 2022, antivirus company Avast announced the release of a free decryption tool that covered all variations released up to that point. By September, however, the group had resumed regular activity, targeting vulnerable Microsoft SQL servers and threatening victims with disclosing stolen data via Telegram. 

New Linux version 

In a report published earlier this week by cybersecurity firm Trend Micro, the new Linux edition of TargetCompany ransomware scans for administrator access before launching the malicious process. The threat actor employs a custom script to download and execute the ransomware payload, as well as to exfiltrate data to two separate sites, most likely for redundancy in the case of a machine failure or compromise.

Once on the target system, the payload uses the 'uname' command to see if it runs in a VMware ESXi environment and looks for 'vmkernel.' Next, a "TargetInfo.txt" file is generated and delivered to the command and control (C2) server. It contains information about the victim, including hostname, IP address, operating system details, logged-in users and rights, unique identifiers, and information on encrypted files and directories. 

The ransomware will encrypt files with VM-related extensions (vmdk, vmem, vswp, vmx, vmsn, nvram) and append the ".locked" extension to the generated files. Finally, a ransom note titled "HOW TO DECRYPT.txt" is dropped, which instructs the victim on how to pay the ransom and retrieve a legitimate decryption key. 

After all operations are performed, the shell script deletes the payload using the 'rm -f x' command, erasing all traces that could be used in post-incident investigations from affected devices. 

Trend Micro analysts attribute the attacks that deployed the new Linux strain of TargetCompany ransomware to an affiliate named "vampire," who is most likely the same one mentioned in a Sekoia report last month. The IP addresses used to deliver the payload and accept the text file with the victim's information were tracked back to a Chinese ISP. 

However, this is insufficient to precisely determine the attacker's origin. Previously, TargetCompany ransomware focused on Windows devices, but the release of the Linux variant, as well as the transition to encrypting VMware ESXi machines, indicate the growth of the operation.
Read more »
Windows
CPR Cyber Attacks Hacker attack Hacking Iranian hackers Isreal Linux Public Networks Windows

Iranian Hacker Group Void Manticore Linked to Destructive Cyber Attacks on Israel and Albania

 

A recent report from Check Point Research (CPR) has unveiled the activities of an Iranian hacker group known as Void Manticore, which has been linked to a series of destructive cyber attacks on Israel and Albania. Affiliated with Iran’s Ministry of Intelligence and Security (MOIS), Void Manticore operates alongside another Iranian threat actor, Scarred Manticore, to carry out these attacks. 

The group employs various online personas, such as "Karma" for attacks in Israel and "Homeland Justice" for those in Albania. Their tactics involve gaining initial access to target networks using publicly available tools and deploying custom wipers to render data inaccessible on both Windows and Linux systems. CPR’s analysis details a systematic collaboration between Void Manticore and Scarred Manticore. Initially, Scarred Manticore gains access and exfiltrates data from targeted networks. 

Control is then transferred to Void Manticore, which executes the destructive phase of the operation. This strategic partnership amplifies the scale and impact of their cyber attacks. The report underscores the similarities in the attacks on Israel and Albania, including the exploitation of specific vulnerabilities for initial access, the use of similar tools, and the coordinated efforts between the two groups. These overlaps suggest a well-established routine for the Iranian hacker groups. 

Void Manticore's toolkit includes several custom wipers, such as the CI Wiper, Partition Wipers like LowEraser, and the recently deployed BiBi Wiper, named after Israeli Prime Minister Benjamin Netanyahu. These wipers specifically target files and partition tables, using advanced techniques to corrupt files and disrupt system functionality. 

The revelation of Void Manticore's activities and its collaboration with Scarred Manticore underscores the growing sophistication and coordination of state-affiliated cyber threat actors. The combined use of psychological tactics and destructive malware represents a significant escalation in cyber warfare, posing substantial risks to national security and critical infrastructure. 

As these cyber threats continue to evolve, it is imperative for nations and organizations to strengthen their cybersecurity defenses and enhance their capabilities to detect, mitigate, and respond to such sophisticated attacks. The report from CPR serves as a crucial reminder of the persistent and evolving nature of cyber threats posed by state-affiliated actors like Void Manticore and Scarred Manticore.
Read more »
XZ Utils Library
Backdoor Information Security Linux Linux Security Vulnerabilities and Exploits XZ Utils Library

Unveiling the XZ Utils Backdoor: A Wake-Up Call for Linux Security

 

The recent discovery of a backdoor in the XZ Utils, a vital tool for lossless data compression on Linux, has sent shockwaves through the tech community. This revelation poses a significant risk to nearly all Linux systems, prompting urgent concerns about cybersecurity and system integrity. 

The Common Vulnerabilities and Exposures (CVE) system, a reference for publicly known information-security vulnerabilities, assigned a severity score of 10/10 to the Linux XZ Utils backdoor. This rating underscores the gravity of the situation and underscores the urgent need for action. 

The initial detection of the backdoor was made by Andres Freund, a PostgreSQL developer at Microsoft. Freund noticed unusual SSH login delays and CPU usage spikes on a Debian Linux system, leading to an investigation that uncovered the presence of the backdoor in the XZ Utils. This discovery exposed countless Linux servers and workstations to potential attacks, highlighting the widespread impact of the vulnerability. 

The backdoor was cleverly concealed within binary files in the XZ Utils’ test folder, encrypted using the XZ library itself, making it difficult to detect. While systems running Debian or Red Hat Linux distributions were particularly vulnerable, Arch Linux and Gentoo Linux appeared to be spared due to their unique system architectures. The malware exploited an audit hook in the dynamic linker, a fundamental component of the Linux operating system, enabling attackers to execute code remotely at the system level. 

This capability granted them full control over compromised systems, posing severe risks such as data theft, system disruption, and the deployment of additional malware or ransomware. Further investigations revealed that the breach of the XZ repository was a sophisticated and well-coordinated effort, likely involving multiple individuals. This complexity raises concerns about the extent of the damage and the potential for other undiscovered vulnerabilities. 

The attack's sophistication suggests a deep understanding of the Linux ecosystem and the XZ Utils, highlighting the need for enhanced security measures in open-source software development. Immediate steps, such as updating to patched versions of XZ Utils or reverting to safe earlier versions, are crucial for system security. This incident serves as a wake-up call for the Linux community to reassess its security practices and strengthen defenses against future attacks. 

Rigorous code reviews, increased use of security auditing tools, and fostering transparency and collaboration among developers and security researchers are essential steps to mitigate similar threats in the future. As the tech community grapples with the implications of this backdoor, ongoing research is underway to determine the full extent of the threat. This incident underscores the critical importance of system security and the need for continuous vigilance against evolving cyber threats. Together, we must learn from this experience and work towards building a more secure and resilient Linux ecosystem.
Read more »
XDealer
DinodasRat Linux malware Robust security XDealer

Linux Servers Targeted by DinodasRAT Malware




Recently, cybersecurity experts have noticed a concerning threat to Linux servers worldwide. Known as DinodasRAT (also referred to as XDealer), this malicious software has been identified targeting systems running Red Hat and Ubuntu operating systems. The campaign, suspected to have been operational since 2022, signifies a growing concern for server security.

While the Linux variant of DinodasRAT has been detected, details about its operation remain limited. However, previous versions have been traced back to 2021, indicating a persistent threat. Notably, DinodasRAT has previously targeted Windows systems in a campaign dubbed 'Operation Jacana,' focusing on governmental entities.

Trend Micro reported on the activities of a Chinese APT group identified as 'Earth Krahang,' utilising XDealer to breach both Windows and Linux systems of governmental organisations globally. This revelation underlines the severity and scope of the threat posed by DinodasRAT.

According to insights provided by Kaspersky researchers, the Linux version of DinodasRAT exhibits sophisticated behaviour upon execution. It establishes persistence on the infected device through SystemV or SystemD startup scripts and creates a hidden file acting as a mutex to prevent multiple instances from running simultaneously. Furthermore, the malware communicates with a command and control (C2) server via TCP or UDP, ensuring secure data exchange through encryption algorithms.

DinodasRAT possesses a range of capabilities designed to monitor, control, and exfiltrate data from compromised systems. These include tracking user activities, executing commands from the C2 server, managing processes and services, offering remote access to the attacker, proxying communications, downloading updates, and self-uninstallation to erase traces of its presence.

Kaspersky researchers emphasise that DinodasRAT provides threat actors with complete control over compromised systems, enabling data exfiltration and espionage. The malware primarily targets Linux servers, with affected victims identified in China, Taiwan, Turkey, and Uzbekistan since October 2023.

Despite the severity of the threat, details regarding the initial infection method remain undisclosed. Nevertheless, the sudden rise of DinodasRAT underscores the insistence on robust cybersecurity measures, especially for organisations relying on Linux servers for critical operations.

As cybersecurity experts continue to monitor and analyse this surge in upcoming threats, proactive measures such as regular system updates, network monitoring, and employee training on security best practices become increasingly crucial in safeguarding against sophisticated threats like DinodasRAT. 


Read more »
Vulnerabilities and Exploits
cyber threat Device Security Linux Malware Attack Vulnerabilities and Exploits

Shim Bug Uncovered: A Ten-Year Security Breach in Linux Boot Loaders

 

In the dynamic realm of cybersecurity, discovering a significant flaw in every Linux boot loader signed in the past decade has underscored the pervasive nature of potential threats. This blog explores the intricacies of the Shim bug, its implications for Linux systems, and the urgent response required to mitigate its impact. 

The Shim bug, a critical vulnerability affecting Linux boot loaders, has sent security experts into a heightened state of alert. The flaw lies in the code of the Shim bootloader, a crucial component in the Secure Boot process designed to ensure the integrity of the boot sequence. The bug itself has silently persisted for an astounding ten years, evading detection until now. 

The far-reaching impact of the Shim bug cannot be overstated, as it compromises the security of every Linux boot loader signed over the past decade. Secure Boot, a fundamental security feature, is designed to prevent the loading of unsigned or malicious code during the boot process. However, this vulnerability allows threat actors to bypass these protections, opening the door to unauthorized access, malware injection, and other malicious activities. 

The longevity of the Shim bug's existence without detection raises questions about the efficacy of current security measures and the challenges inherent in identifying hidden vulnerabilities. Its discovery highlights the need for ongoing scrutiny, even of well-established and seemingly secure components within the Linux ecosystem. 

Addressing the Shim bug requires a swift and coordinated response from the Linux community. Developers and maintainers work diligently to release patches and updates addressing the vulnerability. Additionally, Linux users are urged to update their systems promptly, applying the necessary patches to safeguard their devices from potential exploitation. 

The Shim bug emphasizes the collaborative nature of the open-source community, where rapid identification and response to vulnerabilities are paramount. Developers, security experts, and Linux users alike must work in unison to fortify the security infrastructure of the operating system and ensure a resilient defence against emerging threats. 

The discovery of the Shim bug serves as a poignant reminder of the ever-evolving threat landscape and the importance of continuous vigilance in cybersecurity. It prompts a reevaluation of existing security practices, encouraging the adoption of proactive measures to detect and address vulnerabilities before they become decade-long silent menaces. 

As the Linux community grapples with the repercussions of the Shim bug, the broader cybersecurity landscape is reminded of the persistent challenges in securing complex systems. The discovery and swift response to such critical vulnerabilities are integral to maintaining the integrity and trustworthiness of open-source platforms like Linux. The lessons learned from the Shim bug should fuel ongoing efforts to fortify security measures, ensuring a resilient defence against future threats in the ever-changing realm of cybersecurity.
Read more »
Vulnerabilities and Exploits
Android App Safety Apple Bluetooth GitHub Linux Linux Servers macOS Vulnerabilities and Exploits

Bluetooth Security Flaw Strikes Apple, Linux, and Android Devices

Vulnerabilities in the constantly changing technology landscape present serious risks to the safety of our online lives. A significant Bluetooth security weakness that affects Apple, Linux, and Android devices has recently come to light in the cybersecurity community, potentially putting millions of users at risk of hacking.

The flaw, identified as CVE-2023-45866, was first brought to light by security researchers who detected a potential loophole in the Bluetooth communication protocol. The severity of the issue lies in its capability to allow hackers to take control of the targeted devices, potentially leading to unauthorized access, data theft, and even remote manipulation.

Security experts from SkySafe, a renowned cybersecurity firm, delved into the intricacies of the vulnerability and disclosed their findings on GitHub. If successfully employed, the exploit could lead to a myriad of security breaches, prompting urgent attention from device manufacturers and software developers alike.

Apple, a prominent player in the tech industry, was not exempt from the repercussions of this Bluetooth bug. The flaw could potentially enable hackers to hijack Apple devices, raising concerns among millions of iPhone, iPad, and MacBook users. Apple, known for its commitment to user security, has been swift in acknowledging the issue and is actively working on a patch to mitigate the vulnerability.

Linux, an open-source operating system widely used across various platforms, also faced the brunt of this security loophole. With a significant user base relying on Linux for its robustness and versatility, the impact of the Bluetooth flaw extends to diverse systems, emphasizing the urgency of a comprehensive solution.

Android, the dominant mobile operating system, issued a security bulletin addressing the Bluetooth vulnerability. The Android Security Bulletin for December 2023 outlined the potential risks and provided guidance on necessary patches and updates. As the flaw could compromise the security of Android devices, users are strongly advised to implement the recommended measures promptly.

Cybersecurity experts stated, "The discovery of this Bluetooth vulnerability is a stark reminder of the constant vigilance required in the digital age. It underscores the importance of prompt action by manufacturers and users to ensure the security and integrity of personal and sensitive information."

This Bluetooth security issue serves as a grim reminder of the ongoing fight against new cyber threats as the tech world struggles with its implications. In order to strengthen its commitment to a secure digital future, the IT industry is working together with developers, manufacturers, and consumers to quickly identify and fix vulnerabilities.

Read more »
Windows
Ad Blockers Data Breach Linux Phishing Attacks Ransomware Attacks. Software VMware Windows

Abyss Locker Ransomware Targets VMware ESXi Servers on Linux

The infamous Abyss Locker ransomware has surfaced as a significant threat to Linux users, primarily targeting VMware ESXi servers. This is worrying news for cybersecurity experts and server managers. Security experts are concerned about this ransomware's potential damage to vital server infrastructure.

According to reports from reliable sources, the Linux version of Abyss Locker is specifically made to take advantage of vulnerabilities in VMware ESXi servers, which are frequently used in data centers and enterprise settings.

Targeted servers are thought to be accessed by ransomware using well-known security flaws, frequently made possible by incorrect setups or unpatched software. Upon entering the system, Abyss Locker employs encryption algorithms to secure important files and databases, making them unavailable to authorized users of the server.

Cybersecurity news source BleepingComputer stated that "Abyss Locker demands a substantial Bitcoin ransom, and the threat actors behind the attacks have set a strict deadline for payment." If the instructions are not followed within the allotted time, the encrypted data may be permanently lost or the ransom price may rise."

The appearance of the Linux variant indicates a change in the strategies used by ransomware developers. Historically, ransomware attacks have primarily targeted Windows-based computers. This new discovery, however, suggests that there is increasing interest in breaking into Linux-based servers, which are frequently used to host important websites, databases, and apps.

Experts and researchers in security are hard at work examining the behavior of ransomware to identify any vulnerabilities that might help in the creation of decryption software or defense mechanisms. They encourage businesses to lower their vulnerability to these kinds of attacks by keeping their software up to date, installing security patches as soon as possible, and adhering to recommended server hardening procedures.

The main emphasis should be on prevention rather than reaction, as is the case with many ransomware strains. An organization's capacity to repel ransomware attacks can be greatly increased by putting strong security measures in place, backing up data often, and implementing intrusion detection systems.

The scenario is obviously worrying, but it also emphasizes how constantly changing cyber threats are. It is a clear reminder that businesses need to be proactive and watchful in protecting their systems from the newest threats and weaknesses.

To keep ahead of attackers, the cybersecurity community keeps in touch and exchanges information. Affected firms should implement security best practices and notify law enforcement authorities, such as local law enforcement or national cybersecurity authorities, of any ransomware attacks.

Read more »
zero-day
Anonymous Data Breach ICAN Italy Kali Linux PowerShell servers Software Trojan unauthorised access zero-day

Global Ransomware Attack Targets VMware ESXi Servers



Cybersecurity firms around the world have recently warned of an increase in cyberattacks, particularly those targeting corporate banking clients and computer servers. The Italian National Cybersecurity Agency (ACN) recently reported a global ransomware hacking campaign that targeted VMware ESXi servers, urging organisations to take action to protect their systems.

In addition, Italian cybersecurity firm Cleafy researchers Federico Valentini and Alessandro Strino reported an ongoing financial fraud campaign since at least 2019 that leverages a new web-inject toolkit called drIBAN. The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments, altering legitimate banking transfers performed by the victims and transferring money to an illegitimate bank account.

These accounts are either controlled by the threat actors or their affiliates, who are then tasked with laundering the stolen funds. The fraudulent transactions are often realized by means of a technique called Automated Transfer System (ATS) that's capable of bypassing anti-fraud systems put in place by banks and initiating unauthorized wire transfers from a victim's own computer.

The operators behind drIBAN have become more adept at avoiding detection and developing effective social engineering strategies, in addition to establishing a foothold for long periods in corporate bank networks. Furthermore, there are indications that the activity cluster overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the U.K.

Organisations need to be aware of these threats and take immediate action to protect their systems from cyberattacks. The ACN has reported that dozens of Italian organisations have been likely affected by the global ransomware attack and many more have been warned to take action to avoid being locked out of their systems.


Read more »
User Privacy
Air-Gapped Computers Encryption keylogger Linux malware Phishing Attacks South Korea User Privacy

Korean University Disclosed a Potential Covert Channel Attack

The School of Cyber Security at the Korean University in Seoul has developed a novel covert channel attack called CASPER that may leak data from air-gapped computers to a nearby smartphone at a pace of 20 bits per second. 

What is CASPER?

Casper is a 'recognition tool,' built to characterize its targets and decide whether or not to keep tracking them. Prior to introducing more advanced persistent malware into the targeted systems for espionage, the Casper surveillance virus was employed as a starting point.

Data leak

The target needs to first be infected with malware by a rogue employee or a cunning attacker with physical access, which is the case with nearly all personal channel attacks that target network-isolated systems.

Attacks utilizing external speakers have been created in the past by researchers. External speakers are unlikely to be employed in air-gapped, network-isolated systems used in harsh settings like government networks, energy infrastructure, and weapon control systems.

The malicious software has the ability to search the target's filesystem on its own, find files or data formats that match a hardcoded list, and make an exfiltration attempt.

Keylogging is a more realistic option and is better suited for such a slow data transmission rate. The malware will use binary or Morse code to encrypt the information to be stolen from the target and then transmit it through the internal speaker utilizing frequency modulation to create an undetectable ultrasound between 17 kHz and 20 kHz.

The researchers tested the proposed model using a Samsung Galaxy Z Flip 3 as the receiver and an Ubuntu 20.04-based Linux computer as the target. Both were running a simple recorder application with a sampling frequency of up to 20 kHz.

In the Morse code study, the researchers employed 18 kHz for dots and 19 kHz for dashes, with a length per bit of 100 ms. The smartphone, which was 50 cm away, was able to interpret the word 'covert' that was sent. In the binary data study, each bit had a length of 50 ms and was transferred at a frequency of 18 kHz for zeros and 19 kHz for ones. Nonetheless, the overall experiment findings demonstrate that the length per bit impacts the bit error rate, and a max reliable transmitting bit rate of 20 bits/s is possible when the length per bit is 50 ms.

A standard 8-character password could be transmitted by the malware in around 3 seconds at this data transfer rate, while a 2048-bit RSA key could be transmitted in roughly 100 seconds. Even under ideal conditions and with no interruptions, anything larger than that, such as a little 10 KB file, would take longer than an hour to escape the air-gapped system.

"Because sound can only transmit data at a certain speed, our technology cannot transmit data as quickly as other covert channel technologies using optical or electromagnetic methods." – Korea University.

The attack is limited since internal speakers can only emit sound in a single frequency band. Changing the frequency band for several simultaneous transmissions would be a solution to the slow data rate. The simplest method of defense against the CASPER assault was to turn off the internal speakers in mission-critical computers, which was disclosed by the researchers. The defense team could also use a high-pass filter to keep all created frequencies inside the range of audible sound, preventing ultrasonic transmissions. 





Read more »
Windows
Android Atlas VPN AV-ATLAS Cyber Criminals Linux macOS malware Malware Threats Operating system Windows

Linux Malware Records a New High in 2022


While more and more devices are adopting Linux as their operating system, the popularity of the software has nonetheless attracted cyber-criminals. According to recent reports, the number of malware aimed at the software increased dramatically in 2022. 

As per the reports from observations made by Atlas VPN based on data from threat intelligence platform AV-ATLAS, as many as 1.9 million Linux malware threats were observed in 2022, bringing the figure up 50% year-on-year. 

The reports further claimed that most of the Linux malware samples were discovered in the first three months of the year. 

 Secure Operating System

In Q1 2022, researchers identified 854,690 new strains. The number later dropped by 3% in Q2, detecting 833,065 new strains. 

The number of new detections fell 91% to 75,841 in the third quarter of the year, indicating that Linux malware developers may have taken their time off. The numbers increased once more in the fourth quarter of the year, rising by 117% to 164,697. 

Despite the researcher’s observations, Linux remains one of the “highly secure operating systems.” 

“The open-source nature of Linux allows for constant review by the tech community, leading to fewer exploitable security vulnerabilities. Additionally, Linux limits administrative privileges for users and compared to more widely used operating systems like Windows, it still has less malware targeting it,” the researchers added. 

While threat actors will not stop chasing flaws in the world’s fifth most popular operating systems, businesses and consumers alike must also be on the lookout, the researchers concluded. 

Although Linux is not as popular as Windows or macOS, it is still a widely used operating system. From Android devices (which are built on Linux) to Chromebooks, video cameras, and wearable devices, to all kinds of servers (web servers, database servers, email servers, etc.) there are more than 32 million endpoints operating on Linux.  

Read more »
Zero-Day Attack
BoldMove Backdoor Chinese Actors Fortinet Fortinet FortiOS FortiOS Google Hackers Linux Mandiant Threat Intelligence Vulnerabilities and Exploits zero-day Zero-Day Attack

Hackers Designs Malware for Recently Patched Fortinet Zero-Day Vulnerability


Researchers who recently disclosed and patched the zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a new backdoor, specifically created in order to run on Fortinet’s FortiGate firewalls. 

Initial evidence collected by Google-owned security firm Mandiant suggests that the exploitation occurred in October 2022, nearly two months before the vulnerability was patched. Targets included a government entity in Europe and a managed services provider in Africa. 

According to a report published by Mandiant, the malware appears to have been created by a China-based threat actor that conducts cyber-espionage operations against individuals and groups associated with the government. 

It is the most recent instance of attackers from the country attacking firewalls, IPS, IDS, and other technologies used by businesses to secure their networks that are internet-facing. 

BoldMove Backdoor 

The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant created especially to run on Fortinet's FortiGate firewalls. 

The intrusion vector in question is the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could allow for unauthenticated remote code execution through carefully constructed requests. 

Earlier this month, Fortinet revealed that the unidentified hacking groups had taken advantage of the flaw to attack governments and other major institutions with a generic Linux implant capable of delivering additional payloads and carrying out remote server commands. 

Mandiant findings also indicate that the hackers managed to exploit the zero-day vulnerability to their advantage, accessing target networks for espionage operations. "With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant added. 

The BoldMove Backdoor malware, written in C, is apparently available in both Windows and Linux versions, with the latter being able to read data from a Fortinet-exclusive file format. 

Moreover, according to Fortinet’s report, an extended Linux sample comes with a feature that allows attackers to disable and manipulate logging features in order to evade detection. Despite the fact that no copies of the backdoor have been found in the wild, metadata analysis of the Windows variations reveals that they were created as early as 2021. 

"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted. 

Schooled in FortiOS 

Meanwhile, Fortinet itself described the malware as a variant of “generic” Linux backdoor designed by threat actors for FortiOS. According to the company's analysis, affected systems may have had the malicious file disguising itself as a part of Fortinet's IPS engine. 

According to Fortinet, one of the malware's more advanced features included manipulating FortiOS log-in to avoid detection. The malware can search FortiOS for event logs, decompress them in memory, and search for and delete a specific string that allows it to reconstruct the logs. The malware can also completely disable logging processes. 

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," says Fortinet. 

Fortinet adds that designing the malware would have required the threat actors to have a “deep understanding” of the FortiOS and its underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.  

Read more »
Ransomware
Bots Cryptominers Digital Infrastructure Firewalls Linux Linux Servers malware Ransom Ransomware

This Linux Malware Bombards Computers with DDoS Bots and Cryptominers

 

Security experts have discovered a new Linux malware downloader that uses cryptocurrency miners and DDoS IRC bots to attack Linux servers with weak security. After the downloader's shell script compiler (SHC) was uploaded to VirusTotal, researchers from ASEC found the attack. It appears that Korean users were the ones who uploaded the SHC, and Korean users are also the targets. 

Additional research has revealed that threat actors target Linux servers with weak security by brute-forcing their way into administrator accounts over SSH. Once inside, they'll either set up a DDoS IRC bot or a cryptocurrency miner. XMRig, arguably the most well-liked cryptocurrency miner among hackers, is the miner that is being used.

It generates Monero, a privacy-focused cryptocurrency whose transactions appear to be impossible to track and whose users are allegedly impossible to identify, using the computing power of a victim's endpoints.

Threat actors can use the DDoS IRC bot to execute commands like TCP Flood, UDP Flood, or HTTP Flood. They can execute port scans, Nmap scans, terminate various processes, clear the logs, and other operations. Malicious deployments are continuously thrown at Linux systems, most frequently ransomware and cryptojacking.

"Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks," ASEC stated in its report. "Administrators should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers."

The continued success of Linux services in the digital infrastructure and cloud industries, as well as the fact that the majority of anti-malware and cybersecurity solutions are concentrated on protecting Windows-based devices, according to a VMware report from February 2022, put Linux in a risky situation.
Read more »
Subscribe to: Posts (Atom)