Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Linux. Show all posts
Penetration Testing
Cyber Security Digital Forensics Ethical Hacking Kali Kali Pentesting Linux Linux Linux Security Penetration Testing

What Is Kali Linux? Everything You Need to Know

 

Kali Linux has become a cornerstone of cybersecurity, widely used by ethical hackers, penetration testers, and security professionals. This open-source Debian-based distribution is designed specifically for security testing and digital forensics. 

Recognized for its extensive toolset, it has been featured in popular culture, including the TV series Mr. Robot. Its accessibility and specialized features make it a preferred choice for those working in cybersecurity. The project originated as a successor to BackTrack Linux, developed by Offensive Security (OffSec) in 2013. 

Created by Mati Aharoni and Devon Kearns, Kali was designed to be a more refined, customizable, and scalable penetration testing platform. Unlike its predecessor, Kali adopted a rolling release model in 2016, ensuring continuous updates and seamless integration of the latest security tools. This model keeps the OS up to date with emerging cybersecurity threats and techniques. 

One of Kali Linux’s standout features is its extensive suite of security testing tools—approximately 600 in total—catering to various tasks, including network penetration testing, password cracking, vulnerability analysis, and digital forensics. The OS is also optimized for a wide range of hardware platforms, from traditional desktops and laptops to ARM-based systems like Raspberry Pi and even Android devices through Kali NetHunter. 

A key advantage of Kali is its built-in customization and ease of use. Unlike installing individual security tools on a standard Linux distribution, Kali provides a ready-to-use environment where everything is pre-configured. Additionally, it offers unique capabilities such as “Boot Nuke,” which enables secure data wiping, and containerized support for running older security tools that may no longer be maintained. 

Maintained and funded by Offensive Security, Kali Linux benefits from ongoing community contributions and industry support. The development team continuously enhances the system, addressing technical challenges like transitioning to updated architectures, improving multi-platform compatibility, and ensuring stability despite its rolling release model. 

The project also prioritizes accessibility for both seasoned professionals and newcomers, offering free educational resources like Kali Linux Revealed to help users get started. Looking ahead, Kali Linux’s roadmap remains dynamic, adapting to the fast-changing cybersecurity landscape. 

While core updates follow a structured quarterly release cycle, the development team quickly integrates new security tools, updates, and features as needed. With its strong foundation and community-driven approach, Kali Linux continues to evolve as an essential tool for cybersecurity professionals worldwide.
Read more »
Windows
data security LightSpy Linux Mac malware Windows

LightSpy Malware Attacks Users, Launches Over 100 Commands to Steal Data


Cybersecurity researchers at Hunt.io have found an updated version of LightSpy implant, a modular surveillance framework for data collection and extraction. Famous for attacking mobile devices initially, further enquiry revealed it can attack macOS, Windows, Linux, and routers. 

LightSpy has been executed in targeted attacks, it uses watering hole techniques and exploit-based delivery, coupled with an infrastructure that swiftly escapes detection. LightSpy was first reported in 2020, targeting users in Hong Kong.

History of LightSpy

LightSpy has been historically famous for attacking messaging apps like WeChat, Telegram, QQ, Line, and WhatsApp throughout different OS. According to ThreatFabric report, the framework can extract payment data from WeChat, remove contacts, wipe out messaging history, and alot of other things.

The compromised things include WiFi network details, iCloud Keychain, screenshots, location, browser history, photos, call history, and SMS texts.

Regarding server analysis, the LightSpy researcher said they "share similarities with prior malicious infrastructure but introduce notable differences in the command list."

Further, "the servers analyzed in this research As previously observed, the cmd_list endpoint is at /ujmfanncy76211/front_api. Another endpoint, command_list, also exists but requires authentication, preventing direct analysis."

LightSpy Capabilities

In 2024, ThreatFabric reported about an updated malware version that has destructive capability to stop compromised device from booting up, in addition to the number of supported plugins from 12 to 28.

Earlier research has disclosed potential overlaps between an Android malware called "DragonEgg" and LightSpy, showing the threat's cross-platform nature.

Hunt.io's recent analysis study of the malicious command-and-control (C2) infrastructure linked with the spyware has found support for more than 100 commands spread across iOS, macOS, Linux, routers, and Windows.

Expert insights

Commenting on the overall impact of the malware, Hunt.io experts believe “LightSpy's infrastructure reveals previously unreported components and administrative functionality.” However, the experts remain unsure if it symbolizes new growths or earlier versions not publicly reported. “Command set modifications and Windows-targeted plugins suggest that operators continue to refine their data collection and surveillance approach across multiple platforms,” concludes 

To stay safe, experts suggest users to:

Limit app permissions to avoid unwanted access to important data. “On Android, use Privacy Dashboard to review and revoke permissions; on iOS, enable App Privacy Reports to monitor background data access.”

Turn on advanced device security features that restrict the exploitability of devices. iOS users can enable Lockdown Mode and Android users can turn on Enhanced Google Play Protect and use protection features to identify and block suspicious activities. 

Read more »
Windows
BlackLock Cyber Attacks Linux Ransomware Windows

BlackLock Ransomware: The Fastest-Growing Cyber Threat and How to Stay Safe

 



Ransomware remains a major problem for businesses, and a new cybercriminal group is expanding at an alarming rate. Security researchers at ReliaQuest have identified BlackLock as the fastest-growing ransomware operation today, with its activity increasing by 1,425% since late 2024. Although it is currently the seventh most active ransomware group, experts predict it could become the biggest threat in 2025.  

Despite law enforcement cracking down on major ransomware gangs like LockBit in 2024, the number of cyberattacks continues to grow. A report from January 31 suggested ransomware incidents had risen by 15% compared to the previous year. However, a February 20 study by Symantec showed a slower increase of just 3%. No matter the rate, the takeaway is the same, ransomware remains a serious risk.  


How BlackLock Ransomware Operates  

BlackLock ransomware is designed to infect Windows, Linux, and VMware ESXi systems, making it a versatile and dangerous threat. Cybercriminals behind this operation have developed unique methods to pressure victims into paying ransom quickly.  


1. Blocking access to stolen data  

  • Ransomware groups often leak stolen information on dark web sites to force victims to pay.  
  • BlackLock makes it harder for victims and cybersecurity teams to access leaked data by blocking repeated download attempts.  
  • If someone tries to retrieve files too often, they either receive no response or only see empty files with contact details instead of real data.  
  • This tactic prevents companies from fully understanding what was stolen, increasing the likelihood of paying the ransom.  


2. Recruiting criminals to assist with attacks  

  • BlackLock actively hires "traffers," cybercriminals who help spread ransomware by tricking people into downloading malware.  
  • These traffers guide victims toward fake websites or malicious links that install ransomware.  
  • The group openly recruits low-level hackers on underground forums, while more skilled cybercriminals are privately contacted for higher-level roles.  


Steps to Protect Your Systems  

Security experts recommend taking immediate action to strengthen defenses, especially for companies using VMware ESXi servers. Here are some key steps:  

1. Turn off unnecessary services  

  • Disable unused features like vMotion and SNMP to reduce possible entry points for attackers.  

2. Strengthen security restrictions  

  •  Configure VMware ESXi hosts to only allow management through vCenter, making it harder for hackers to exploit weaknesses.  

3. Limit network access  

  •  Use firewalls and strict access controls to prevent unauthorized users from reaching sensitive systems.  

Additional recommendations include:  

1. Activating multi-factor authentication (MFA) to prevent unauthorized logins.  

2. Disabling Remote Desktop Protocol (RDP) on systems that do not need remote access.  

The rapid rise of BlackLock ransomware shows that cybercriminals ar constantly developing new strategies to pressure victims and avoid detection. Organizations must take proactive steps to secure their networks and stay informed about emerging threats. Implementing strong security controls today can prevent costly cyberattacks in the future.

Read more »
Pumakit Rootkit
Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Linux LKM malware PT Pumakit Rootkit

Pumakit Rootkit Challenges Linux Security Systems

 


According to the researchers from the Elastic Security Lab, a new rootkit called PUMAKIT can perform various advanced evasion mechanisms. When Elastic Security researchers discovered PUMAKIT while routinely hunting for threats on VirusTotal, they described it as PUMAKIT. Many stages are involved in deploying this multi-stage malware, including a dropper, two memory-resident executables, an LKM rootkit module, and a shared object rootkit, all of which are used in the userland. 

To manipulate core system behaviours, the rootkit component can hook into 18 different syscalls and several kernel functions using an internal Linux function tracer (ftrace), which enables it to control the behaviour of core system components. The rootkit is an advanced persistent threat (APT) that tends to target critical organizations with specific programs designed to establish persistence within compromised systems.

The rootkit is often used by APT groups in their attempts to target critical organizations with specific programs. As a result of the discovery of this Linux rootkit malware called Pumakit, it can evade detection and compromise systems through advanced stealth and privilege escalation techniques. Several components make up this sophisticated malware, including a dropper, a memory-resident executable, kernel module rootkits, and userland rootkits. 

The Pumakit malware family was discovered by Elastic Security in a suspicious binary 'cron' uploaded to VirusTotal on September 4, 2024. The details surrounding its identity and target remain vague. There are a variety of rootkits like this that are commonly used by advanced threat actors to undermine critical infrastructure, steal money, disrupt operations, and infiltrate enterprise systems to conduct espionage. As a sophisticated piece of malware, PUMAKIT was discovered via routine threat detection on VirusTotal as part of routine threat hunting. 

Its binary contains strings embedded by the developer that can be easily identified and accessed by developers. There is an internal structure to the malware that is based on a multi-stage architecture, which comprises a dropper component named "cron", two memory-resident executables called TGT and WPN, an LKM rootkit called Pumba and a shared object rootkit called Kitsune that is bundled in with the malware. This payload allows for loading the LKM rootkit ('puma.ko') into the kernel as well as the userland rootkit ('Kitsune SO') to intercept system calls via the userland.  

A kernel function, such as "prepare_creds" and "commit_creds," can also be used to alter core system behaviour and achieve its objectives. It includes the use of the internal Linux function tracer (trace) to hook into as many as 18 different system calls and various kernel functions, such as "prepare_creds." and "commit_creds." In addition, Elastic noted that every step of the infection chain is designed to conceal the malware's presence, leveraging memory-resident files, and doing specific checks before unleashing the rootkit, which will make it difficult for the user to detect it before it is launched. 

As of right now, the company has not linked PUMAKIT to any known threat actor or group and believes that the software most likely originated from unknown sources. As you may know, PUMAKIT is a sophisticated and stealthy threat, which utilizes advanced techniques like syscall hooks, memory-resident execution, and unique methods for escalating privileges. According to the researchers, it is a multi-architectural malware that demonstrates the increasing sophistication of malware aimed at Linux. For IForthe LKM rootkit to be able to manipulate the behaviour of a system, it must use the syscall table, as well as kallsyms_lookup_name() to find symbol names. 

Rootkits targeting kernel versions 5.7 and above tend to use probes, which means they are designed for older kernels which makes them more difficult to detect than modern rootkits. There has been a debate within the kernel development team about the unsporting of the kallsyms_lookup_name() code to prevent unauthorized or malicious modules from misusing it. As part of this tactic, modules are often added with fake MODULE_LICENSE("GPL") declarations that circumvent license checks, thereby allowing them to access non-exported kernel functions, which is not permitted under the GPL.

A Linux rootkit known as PUMAKIT, or Pumakkit for short, has been discovered that underscores the sophistication with which Linux systems are being targeted by targeted threats. This malware is one of the most dangerous adversaries because it can evade detection and execute advanced attacks. In any case, proactive measures can reduce the harm caused by these threats by recommending regular updates and by increasing monitoring capabilities, among other measures. 

To defend against attacks like PUMAKIT being carried out by hackers like Kumak, it is crucial to remain informed and vigilant in the face of evolving cybersecurity threats. Users must take every precaution to ensure that their Linux systems are protected from this and other advanced malware threats.
Read more »
Windows
Check Point research CyberCrime Cyberhackers Cybersecurity Cyberthreats GodLoader Godot Game iOS Linux macOS malware Windows

Godot Game Engine Targeted in Widespread Malware Attack

 


A newly identified malware threat, GodLoader, is targeting gamers globally by exploiting the Godot game development engine, according to a report from Check Point Research. This sophisticated attack has already impacted more than 1.2 million users across various platforms. 

How GodLoader Works 

 
GodLoader infiltrates devices by leveraging Godot’s .pck files, which package game assets. These files can embed harmful scripts that execute malicious code upon launching a game, effectively bypassing traditional antivirus detection. The malware primarily targets: 

-Windows 
- macOS 
- Linux 
- Android 
- iOS 

Check Point Research reported that hackers have infected over 17,000 systems in just the past three months. By utilizing Godot’s GDScript (a Python-like scripting language), attackers distribute malware via more than 200 GitHub repositories, often masked as legitimate game assets. 

Exploitation of Open-Source Trust 


Eli Smadja, Security Research Group Manager at Check Point Software Technologies, highlighted the exploitation of open-source platforms:  

"Cybercriminals have turned the flexibility of the Godot Engine into a vulnerability, spreading cross-platform malware like GodLoader by capitalizing on the trust users place in open-source software." 

Infected computers are not only compromised but may also be converted into cryptocurrency mining rigs through XMRig, rendering them unusable for other tasks. 

Stargazers Ghost Network: Distribution-as-a-Service (DaaS) 


The attackers used the Stargazers Ghost Network to distribute GodLoader. This platform, active since 2022, employs over 3,000 ghost GitHub accounts to create networks of malicious repositories. These repositories: 

- Host info stealers like RedLine, Lumma Stealer, Rhadamanthys, and RisePro. 
- Manipulate GitHub’s trending section by starring, forking, and subscribing to their own repositories to appear legitimate. 

During a campaign between September and October 2024, Check Point discovered four separate attacks targeting developers and gamers. These attacks aimed to distribute infected tools and games, enticing users to download malware through seemingly credible GitHub repositories. 

Broader Implications and Future Risks 


The malware’s ability to target multiple platforms significantly enlarges the attack surface, posing a growing threat to the gaming community. Experts warn that attackers could embed malware into cheats, mods, or cracks for popular Godot-built games, increasing the vulnerability of millions of gamers. 

The Stargazers Ghost Network has already earned over $100,000 by distributing malware through its DaaS platform. With its continuous evolution, this network poses an ongoing threat to both developers and users of the Godot engine. 

Call to Action for Developers and Gamers 


Industry experts emphasize the urgent need for proactive cybersecurity measures to counter such threats. Recommendations include: 

- Avoid downloading game assets from unverified sources. 
- Regularly update antivirus and anti-malware software. 
- Implement robust security practices when developing or downloading games built with Godot. 

As the gaming ecosystem continues to expand, vigilance and collaboration between developers and security researchers will be critical in mitigating threats like GodLoader and ensuring a safer gaming environment.
Read more »
Threat Landscape
Linux malware Misconfiguration Security flaw Threat Landscape

Stealthy Malware Has Infected Thousands of Linux Systems Since 2021

 

Aqua Security researchers have raised concerns about a newly identified malware family that targets Linux-based machines in order to get persistent access and control resources for crypto mining. The malware, known as perfctl, purports to exploit over 20,000 different types of misconfigurations and known vulnerabilities and has been active for over three years. 

Aqua Security uncovered that perfctl uses a rootkit to hide itself on compromised systems, runs as a service in the background, is only active when the machine is idle, communicates via a Unix socket and Tor, installs a backdoor on the infected server, and attempts to escalate privileges. The malware's handlers have been detected deploying more reconnaissance tools, proxy-jacking software, and a cryptocurrency miner. 

The attack chain begins with the exploitation of a vulnerability or misconfiguration, followed by the deployment and execution of the payload from a remote HTTP server. Next, it copies itself to the temporary directory, terminates the old process, deletes the initial binary, and runs from the new location. 

The payload contains an attack for CVE-2021-4043, a medium-severity Null pointer dereference vulnerability in the open source multimedia framework Gpac, which it uses to get root access. The flaw was recently uploaded to CISA's Known Exploited Vulnerabilities database. 

In addition to the cryptominer, the malware was observed copying itself to numerous additional locations on the computers, dropping a rootkit and popular Linux applications modified to function as userland rootkits. It uses a Unix socket to handle local communications and the Tor anonymity network for external command-and-control (C&C). 

"All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defence mechanisms and hinder reverse engineering attempts," the company said. 

Furthermore, the malware monitors specific files and, if a user logs in, it suspends activities to conceal its presence. It also ensures that user-specific configurations are executed in Bash contexts, allowing the server to run normally. 

For persistence, perfctl alters a script such that it is executed before the server's legitimate workload. It also attempts to terminate the processes of any additional malware it detects on the infected PC. 

The deployed rootkit hooks into various functions and modifies their functionality, including changes that allow "unauthorised actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behaviour of authentication mechanisms," according to Aqua Security. 

The cybersecurity firm found three download servers linked to the attacks, as well as other websites that were likely hacked by the threat actors, resulting in the finding of artefacts used in the exploitation of vulnerable or misconfigured Linux servers. 

“We identified a very long list of almost 20K directory traversal fuzzing list, seeking for mistakenly exposed configuration files and secrets. There are also a couple of follow-up files (such as the XML) the attacker can run to exploit the misconfiguration,” the company added.
Read more »
Proxyjacking
cryptomining Linux malware Perfctl Malware Proxyjacking

Cryptomining and Proxyjacking: The Rise of Perfctl Malware


A new and highly sophisticated malware strain has emerged, posing a significant threat to millions of Linux servers worldwide. Dubbed "perfctl," this fileless malware employs advanced evasion techniques and exploits a staggering 20,000 misconfigurations in Linux servers. 

Its primary targets are unprotected or poorly configured systems, where it installs cryptomining and proxyjacking malware. 

The Anatomy of "perfctl"

Unlike traditional malware, "perfctl" is fileless, which means it doesn't rely on files stored on the disk to execute its payload. Instead, it operates entirely in the memory of the infected system, making it extremely difficult to detect and remove. Fileless malware leverages legitimate system tools and processes to carry out its malicious activities, often leaving minimal traces for security software to identify.

Perfctl specifically targets Linux servers, which are widely used in enterprise environments due to their reliability and scalability. By exploiting misconfigurations, this malware gains initial access to the system. Once inside, it deploys its payload directly into the memory, bypassing traditional antivirus and endpoint protection solutions.

Exploiting Misconfigurations

Misconfigurations are the weakness of many systems, and Linux servers are no exception. According to security experts, "perfctl" exploits around 20,000 different misconfigurations to infiltrate its targets. These misconfigurations can range from default or weak passwords to unpatched vulnerabilities and improperly set access controls.

Once the malware gains access, it uses a combination of evasion techniques to stay hidden. It can mask its presence by hijacking legitimate processes, using encryption to conceal its communication, and employing anti-forensic measures to prevent detection and analysis. This makes "perfctl" a formidable adversary for even the most advanced security solutions.

The Impact: Cryptomining and Proxyjacking

The primary goal of "perfctl" is to install cryptomining and proxyjacking malware on infected systems. Cryptomining malware uses the server's computational power to mine cryptocurrencies like Bitcoin or Monero, generating revenue for the attackers at the expense of the victim's resources. This can lead to decreased performance, increased operational costs, and potential hardware damage due to overuse.

Proxyjacking, on the other hand, involves using the compromised server as a proxy to route malicious traffic, often as part of a larger botnet. This can have serious implications for the victim's network, including reduced bandwidth, increased latency, and potential legal consequences if the server is used for illegal activities.

Mitigation and Prevention

Regularly update and patch systems: Ensure that all software, including operating systems and applications, are up-to-date with the latest security patches.

Harden server configurations: Review and harden server configurations to eliminate potential misconfigurations. This includes enforcing strong passwords, disabling unnecessary services, and setting proper access controls.

Implement advanced threat detection solutions: Use behavior-based and memory-resident threat detection solutions that can identify and respond to fileless malware activities.

Conduct regular security audits: Regularly audit systems for vulnerabilities and misconfigurations. Conduct penetration testing to identify and remediate potential weaknesses.

Educate and train employees: Ensure that IT staff and employees are aware of the latest threats and best practices for cybersecurity.

Read more »
PC
Apple Devices BitLocker encryption Cyber Security Linux Microsoft Operating system PC

Why Windows 11 Requires a TPM and How It Enhances Security

 

When Microsoft launched Windows 11 in 2021, the new operating system came with a stringent hardware requirement: the presence of a Trusted Platform Module (TPM), specifically one that meets the TPM 2.0 standard. A TPM is a secure cryptoprocessor designed to manage encryption keys and handle security-related tasks, making it a critical component for features such as Secure Boot, BitLocker, and Windows Hello. 

The TPM architecture, defined by the ISO/IEC 11889 standard, was created over 20 years ago by the Trusted Computing Group. The standard outlines how cryptographic operations should be implemented, emphasizing integrity protection, isolation, and confidentiality. A TPM can be implemented as a discrete chip on a motherboard, embedded in the firmware of a PC chipset, or built directly into the CPU, as Intel, AMD, and Qualcomm have done over the past decade. 

Most PCs manufactured since 2016 come with a TPM 2.0, as Microsoft mandated that year that all new computers shipped with Windows must have this technology enabled by default. Even some older devices may have a TPM, though it might be disabled in the BIOS or firmware settings. Intel began incorporating TPM 2.0 into its processors in 2014, but the feature was mainly available on business-oriented models. Devices built before 2014 may have discrete TPMs that conform to the earlier TPM 1.2 standard, which is not officially supported by Windows 11. 

The TPM enhances security by providing a secure environment for processing cryptographic operations and storing sensitive data, like private keys used for encryption. For example, it works with the Secure Boot feature to ensure that only signed, trusted code runs during startup. It also enables biometric authentication via Windows Hello and holds the BitLocker keys that encrypt the contents of a system disk, making unauthorized access nearly impossible. Windows 10 and 11 initialize and take ownership of the TPM during installation, and it’s not just limited to Windows; Linux PCs and IoT devices can also use a TPM. 

Apple devices employ a different design known as the Secure Enclave, which performs similar cryptographic tasks. The added level of security provided by a TPM is crucial in protecting against tampering and unauthorized data access. For those with older PCs, upgrading to Windows 11 may require enabling TPM in the BIOS or using a utility to bypass hardware checks. However, the extra security enforced by TPM in tamper-resistant hardware is an essential advancement in protecting your data and ensuring system integrity.
Read more »
Subscribe to: Posts (Atom)