Recently, cybersecurity experts have noticed a concerning threat to Linux servers worldwide. Known as DinodasRAT (also referred to as XDealer), this malicious software has been identified targeting systems running Red Hat and Ubuntu operating systems. The campaign, suspected to have been operational since 2022, signifies a growing concern for server security.
While the Linux variant of DinodasRAT has been detected, details about its operation remain limited. However, previous versions have been traced back to 2021, indicating a persistent threat. Notably, DinodasRAT has previously targeted Windows systems in a campaign dubbed 'Operation Jacana,' focusing on governmental entities.
Trend Micro reported on the activities of a Chinese APT group identified as 'Earth Krahang,' utilising XDealer to breach both Windows and Linux systems of governmental organisations globally. This revelation underlines the severity and scope of the threat posed by DinodasRAT.
According to insights provided by Kaspersky researchers, the Linux version of DinodasRAT exhibits sophisticated behaviour upon execution. It establishes persistence on the infected device through SystemV or SystemD startup scripts and creates a hidden file acting as a mutex to prevent multiple instances from running simultaneously. Furthermore, the malware communicates with a command and control (C2) server via TCP or UDP, ensuring secure data exchange through encryption algorithms.
DinodasRAT possesses a range of capabilities designed to monitor, control, and exfiltrate data from compromised systems. These include tracking user activities, executing commands from the C2 server, managing processes and services, offering remote access to the attacker, proxying communications, downloading updates, and self-uninstallation to erase traces of its presence.
Kaspersky researchers emphasise that DinodasRAT provides threat actors with complete control over compromised systems, enabling data exfiltration and espionage. The malware primarily targets Linux servers, with affected victims identified in China, Taiwan, Turkey, and Uzbekistan since October 2023.
Despite the severity of the threat, details regarding the initial infection method remain undisclosed. Nevertheless, the sudden rise of DinodasRAT underscores the insistence on robust cybersecurity measures, especially for organisations relying on Linux servers for critical operations.
As cybersecurity experts continue to monitor and analyse this surge in upcoming threats, proactive measures such as regular system updates, network monitoring, and employee training on security best practices become increasingly crucial in safeguarding against sophisticated threats like DinodasRAT.
Vulnerabilities in the constantly changing technology landscape present serious risks to the safety of our online lives. A significant Bluetooth security weakness that affects Apple, Linux, and Android devices has recently come to light in the cybersecurity community, potentially putting millions of users at risk of hacking.
Security experts from SkySafe, a renowned cybersecurity firm, delved into the intricacies of the vulnerability and disclosed their findings on GitHub. If successfully employed, the exploit could lead to a myriad of security breaches, prompting urgent attention from device manufacturers and software developers alike.
Apple, a prominent player in the tech industry, was not exempt from the repercussions of this Bluetooth bug. The flaw could potentially enable hackers to hijack Apple devices, raising concerns among millions of iPhone, iPad, and MacBook users. Apple, known for its commitment to user security, has been swift in acknowledging the issue and is actively working on a patch to mitigate the vulnerability.
Linux, an open-source operating system widely used across various platforms, also faced the brunt of this security loophole. With a significant user base relying on Linux for its robustness and versatility, the impact of the Bluetooth flaw extends to diverse systems, emphasizing the urgency of a comprehensive solution.
Android, the dominant mobile operating system, issued a security bulletin addressing the Bluetooth vulnerability. The Android Security Bulletin for December 2023 outlined the potential risks and provided guidance on necessary patches and updates. As the flaw could compromise the security of Android devices, users are strongly advised to implement the recommended measures promptly.
Cybersecurity experts stated, "The discovery of this Bluetooth vulnerability is a stark reminder of the constant vigilance required in the digital age. It underscores the importance of prompt action by manufacturers and users to ensure the security and integrity of personal and sensitive information."
This Bluetooth security issue serves as a grim reminder of the ongoing fight against new cyber threats as the tech world struggles with its implications. In order to strengthen its commitment to a secure digital future, the IT industry is working together with developers, manufacturers, and consumers to quickly identify and fix vulnerabilities.
The infamous Abyss Locker ransomware has surfaced as a significant threat to Linux users, primarily targeting VMware ESXi servers. This is worrying news for cybersecurity experts and server managers. Security experts are concerned about this ransomware's potential damage to vital server infrastructure.
According to reports from reliable sources, the Linux version of Abyss Locker is specifically made to take advantage of vulnerabilities in VMware ESXi servers, which are frequently used in data centers and enterprise settings.
Targeted servers are thought to be accessed by ransomware using well-known security flaws, frequently made possible by incorrect setups or unpatched software. Upon entering the system, Abyss Locker employs encryption algorithms to secure important files and databases, making them unavailable to authorized users of the server.
Cybersecurity news source BleepingComputer stated that "Abyss Locker demands a substantial Bitcoin ransom, and the threat actors behind the attacks have set a strict deadline for payment." If the instructions are not followed within the allotted time, the encrypted data may be permanently lost or the ransom price may rise."
The appearance of the Linux variant indicates a change in the strategies used by ransomware developers. Historically, ransomware attacks have primarily targeted Windows-based computers. This new discovery, however, suggests that there is increasing interest in breaking into Linux-based servers, which are frequently used to host important websites, databases, and apps.
Experts and researchers in security are hard at work examining the behavior of ransomware to identify any vulnerabilities that might help in the creation of decryption software or defense mechanisms. They encourage businesses to lower their vulnerability to these kinds of attacks by keeping their software up to date, installing security patches as soon as possible, and adhering to recommended server hardening procedures.
The main emphasis should be on prevention rather than reaction, as is the case with many ransomware strains. An organization's capacity to repel ransomware attacks can be greatly increased by putting strong security measures in place, backing up data often, and implementing intrusion detection systems.
The scenario is obviously worrying, but it also emphasizes how constantly changing cyber threats are. It is a clear reminder that businesses need to be proactive and watchful in protecting their systems from the newest threats and weaknesses.
To keep ahead of attackers, the cybersecurity community keeps in touch and exchanges information. Affected firms should implement security best practices and notify law enforcement authorities, such as local law enforcement or national cybersecurity authorities, of any ransomware attacks.
In addition, Italian cybersecurity firm Cleafy researchers Federico Valentini and Alessandro Strino reported an ongoing financial fraud campaign since at least 2019 that leverages a new web-inject toolkit called drIBAN. The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments, altering legitimate banking transfers performed by the victims and transferring money to an illegitimate bank account.
These accounts are either controlled by the threat actors or their affiliates, who are then tasked with laundering the stolen funds. The fraudulent transactions are often realized by means of a technique called Automated Transfer System (ATS) that's capable of bypassing anti-fraud systems put in place by banks and initiating unauthorized wire transfers from a victim's own computer.
The operators behind drIBAN have become more adept at avoiding detection and developing effective social engineering strategies, in addition to establishing a foothold for long periods in corporate bank networks. Furthermore, there are indications that the activity cluster overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the U.K.
Organisations need to be aware of these threats and take immediate action to protect their systems from cyberattacks. The ACN has reported that dozens of Italian organisations have been likely affected by the global ransomware attack and many more have been warned to take action to avoid being locked out of their systems.
As per the reports from observations made by Atlas VPN based on data from threat intelligence platform AV-ATLAS, as many as 1.9 million Linux malware threats were observed in 2022, bringing the figure up 50% year-on-year.
The reports further claimed that most of the Linux malware samples were discovered in the first three months of the year.
In Q1 2022, researchers identified 854,690 new strains. The number later dropped by 3% in Q2, detecting 833,065 new strains.
The number of new detections fell 91% to 75,841 in the third quarter of the year, indicating that Linux malware developers may have taken their time off. The numbers increased once more in the fourth quarter of the year, rising by 117% to 164,697.
Despite the researcher’s observations, Linux remains one of the “highly secure operating systems.”
“The open-source nature of Linux allows for constant review by the tech community, leading to fewer exploitable security vulnerabilities. Additionally, Linux limits administrative privileges for users and compared to more widely used operating systems like Windows, it still has less malware targeting it,” the researchers added.
While threat actors will not stop chasing flaws in the world’s fifth most popular operating systems, businesses and consumers alike must also be on the lookout, the researchers concluded.
Although Linux is not as popular as Windows or macOS, it is still a widely used operating system. From Android devices (which are built on Linux) to Chromebooks, video cameras, and wearable devices, to all kinds of servers (web servers, database servers, email servers, etc.) there are more than 32 million endpoints operating on Linux.
Initial evidence collected by Google-owned security firm Mandiant suggests that the exploitation occurred in October 2022, nearly two months before the vulnerability was patched. Targets included a government entity in Europe and a managed services provider in Africa.
According to a report published by Mandiant, the malware appears to have been created by a China-based threat actor that conducts cyber-espionage operations against individuals and groups associated with the government.
It is the most recent instance of attackers from the country attacking firewalls, IPS, IDS, and other technologies used by businesses to secure their networks that are internet-facing.
The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant created especially to run on Fortinet's FortiGate firewalls.
The intrusion vector in question is the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could allow for unauthenticated remote code execution through carefully constructed requests.
Earlier this month, Fortinet revealed that the unidentified hacking groups had taken advantage of the flaw to attack governments and other major institutions with a generic Linux implant capable of delivering additional payloads and carrying out remote server commands.
Mandiant findings also indicate that the hackers managed to exploit the zero-day vulnerability to their advantage, accessing target networks for espionage operations. "With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant added.
The BoldMove Backdoor malware, written in C, is apparently available in both Windows and Linux versions, with the latter being able to read data from a Fortinet-exclusive file format.
Moreover, according to Fortinet’s report, an extended Linux sample comes with a feature that allows attackers to disable and manipulate logging features in order to evade detection. Despite the fact that no copies of the backdoor have been found in the wild, metadata analysis of the Windows variations reveals that they were created as early as 2021.
"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted.
Meanwhile, Fortinet itself described the malware as a variant of “generic” Linux backdoor designed by threat actors for FortiOS. According to the company's analysis, affected systems may have had the malicious file disguising itself as a part of Fortinet's IPS engine.
According to Fortinet, one of the malware's more advanced features included manipulating FortiOS log-in to avoid detection. The malware can search FortiOS for event logs, decompress them in memory, and search for and delete a specific string that allows it to reconstruct the logs. The malware can also completely disable logging processes.
"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," says Fortinet.
Fortinet adds that designing the malware would have required the threat actors to have a “deep understanding” of the FortiOS and its underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.
According to an analysis by cybersecurity company Dr. Web, WordPress-based websites are being targeted by an unidentified Linux malware variant.
Recognized as LinuxBackDoor.WordPressExploit.1, while it can also operate on 64-bit Linux versions, the Trojan favors 32-bit versions. 30 vulnerabilities in numerous outdated WordPress plugins and themes have been used by Linux malware.
Injecting harmful JavaScript into the webpages of websites using the WordPress content management system (CMS) is its primary purpose. The malware may be the malicious instrument that hackers have used for more than three years to perform specific attacks and generate income from the resale of traffic, or arbitrage, based on a study of an unearthed trojan program undertaken by Doctor Web's specialists.
Malicious actors can remotely operate a Trojan by sending its command and control (C&C) server the URL of the site they want to infect. Threat actors can also remotely disable the spyware, turn it off, and stop recording its activities.
The researchers described how the process works, adding that if a plugin or theme vulnerability is exposed, the injection is done so that, irrespective of the original contents of the page, the JavaScript would be launched first when the infected page is loaded. By clicking any part of the compromised website, users will be sent to the attackers' preferred website.
Additionally, it can take advantage of many plugins' flaws, including the Brizy WordPress Plugin, the FV Flowplayer Video Player, and the WordPress Coming Soon Page.
According to Dr. Web, both Trojan variants include unreleased functionality for brute-force hacking the admin access of selected websites. Applying well-known logins and passwords while utilizing specialized vocabulary can accomplish this.
The researchers issued a warning, speculating that hackers may be considering using this feature in further iterations of the malware. Cybercriminals will even be able to effectively attack some of the websites that utilize current plugin versions with patched vulnerabilities.
WordPress is reportedly used by 43% of websites, making it a CMS that cybercriminals aggressively target.WordPress website owners are recommended by Dr. Web to update all parts of their platforms, including any third-party add-ons and themes, and to use secure passwords for their accounts.
This cryptomining campaign, as described by cybersecurity experts at Trend Micro, uses Linux computers' processing power, in order to sneakily compromise Linux servers and mine for Monero.
Cryptomining attacks are frequently distributed by utilizing common cybersecurity flaws or by being concealed inside cracked software downloads.
One compromised system is unlikely to generate much profit from cryptomining malware, but attackers infect a vast network of compromised servers and computers to produce as much cryptocurrency as possible, with the related energy bill being unknowingly carried by the victim.
Because the affected user is unlikely to notice the decrease in system performance unless the machine is pushed to its limit, the attacks usually go unnoticed. Large networks of infected systems can thus generate a consistent income for threat actors, which is why this method has become a prevalent form of malware.
Remote Access Trojan (RAT)
Cryptojacking campaign comprises a remote access trojan (RAT) in its attacks – the reason why it stands out from other cyberthreat campaigns. Chaos RAT, a trojan malware is free and open source, and allows threat actors to take charge of any operating system.
The RAT is downloaded with XMRig miner, which is utilized by threat actors in order to mine cryptocurrency, comprising of a shell script which is used to eliminate competing miners that could have previously been set up on the system.
Chaos RAT has a variety of potent functions, like the ability to download, upload and delete files, take screenshots, access file explorer, as well as open URLs.
In a blog post, written by Trend Micro researchers David Fisher and Oliveira, stated, “On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor […] However, given the tool's array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.”
In order to secure networks and cloud services against cryptomining malware and numerous other cyberattacks, organizations are advised to employ generic best cybersecurity measures, such as timely patching and updating of software and applications, in order to mitigate the risks of vulnerability being exploited in the outdated versions.
Passkey functionality, which enables users to securely log in to apps and websites without a password, will be made accessible to 1Password's customers by early 2023, the company announced.