Search This Blog

Showing posts with label Linux. Show all posts

ESXi , Linux, and Windows Systems at Risk From New Luna Ransomware

Luna is a brand-new ransomware family that was written in Rust, making it the third strain to do so after BlackCat and Hive, according to Kaspersky security researchers

The experts who examined the ransomware's command-line options believe that Luna is a reasonably straightforward ransomware program. 

Luna ransomware

This interesting encryption method combines x25519 with AES. The researchers discovered that the Linux and ESXi samples, which are compiled using the identical source code, differ only slightly from the Windows version.

Darknet forum advertisements for Luna imply that the ransomware is only meant to be used by affiliates who speak Russian. Due to spelling errors in the ransom note that are hard-coded into the malware, its main creators are also thought to be of Russian descent.

The Luna ransomware is also able to avoid automated static code analysis attempts by utilizing a cross-platform language.

"The source code used to compile the Windows version and the Linux and ESXi samples are identical. The remaining code is almost unchanged from the Windows version" the researchers added. Luna "confirms the trend for cross-platform ransomware," the researchers wrote, pointing out how hackers are able to target and strike at scale while avoiding static analysis, thanks to the platform flexibility of languages like Golang and Rust.

Nevertheless, considering that Luna is a recently identified criminal organization and its activities are still being constantly monitored, there is very little knowledge available regarding the victimology trends.

Black Basta

Researchers have also revealed information about the Black Basta ransomware group, which modified its software to target ESXi systems. By adding compatibility for VMware ESXi, various ransomware families, including LockBit, HelloKitty, BlackMatter, and REvil, hope to increase their potential targets.

The double-extortion attack model is used by Black Basta, a ransomware operation that has been operational since April 2022.

Researchers from Kaspersky said that operators had introduced a new feature that relies on launching the computer in safe mode before encrypting data and imitating Windows Services in order to maintain persistence.

Black Basta can avoid detection from a variety of endpoint security solutions by starting Windows in safe mode.




Chinese Group Botnet Illegally Mine Crypto

 

Linux and cloud app vulnerabilities have been used by the 8220 Group crypto mining gang to expand their botnet to over 30,000 affected systems.

Over the course of just the previous month, SentinelOne researchers reported detecting this notable rise in the number of infected hosts. The malicious botnet, according to analysts, was only active on 2,000 servers worldwide by the middle of 2021.

The 8220 group has been operating at least since 2017. The hackers are China-based and the organization's name is derived from the port 8220 that the miner uses to connect to the C2 servers. 

Operation tactics

According to reports, the growth was spurred by the adoption of Linux, widespread vulnerabilities in cloud applications, and inadequately secured setups for services like Docker, Apache WebLogic, and Redis.

This group has used a publically available exploit in the past to breach confluence systems. Once inside, the attackers employ SSH brute force to spread out and commandeer the available computing power to operate crypto miners that point to untraceable pools.

Another improvement is the script's usage of block lists to prevent infections on particular hosts, usually, honeypots set up by security researchers.

Lastly, 8220 Gang has updated PwnRig, their proprietary crypto miner based on XMRig, an open-source Monero miner.

Microsoft researchers claim that the gang has actively upgraded its payloads and tactics over the past year. In a recent campaign, the organization targeted Linux systems running on i686 and x86 64 architectures and gained early access using RCE exploits for CVE-2022-26134 (Atlassian Confluence) CVE-2019-2725 (WebLogic) vulnerabilities.

In addition to underscoring a more intense "fight" to seize control of victim systems from rival cryptojacking-focused groups, the operations' expansion is seen as an effort to counteract the declining value of cryptocurrencies.



8220 Cryptomining Gang Targets Linux and Cloud Apps to Expand Cloud Botnet

 

The 8220 cryptomining gang has widened their Cloud Botnet over the last month to nearly 30,000 hosts globally. 
The exploitation of Linux and cloud app vulnerabilities and poorly secured configurations for services such as Docker, Confluence, Apache WebLogic, and Redis has played a significant role in the growth of the Cloud Botnet. 

"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne explained in a blog post. 

The 8220 gang has been operating since at least 2017, the hackers are Chinese-speaking and the name of the group comes from the port number 8220 employed by the miner to communicate with the C2 servers. In the latest campaign, the Monero-mining hacker targeted i686 and x86_64 Linux systems by means of weaponizing a recent remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to install the PwnRig miner payload. 

"Victims are not targeted geographically, but simply identified by their internet accessibility," Hegel pointed out. Besides executing the PwnRig cryptocurrency miner, the group began employing a specific file for the management of the SSH brute forcing step, which contained 450 hardcoded credentials corresponding to a wide range of Linux devices and apps. 

The latest versions of the script are also known to employ blocklists to bypass compromising specific hosts, such as honeypot servers that could flag their illicit efforts. 

The PwnRig crypto miner, which is based on the open source Monero miner XMRig, has received updates of its own as well, employing a phony FBI subdomain with an IP address linked to a Brazilian federal government domain to design a fake pool request and obscure the real destination of the generated money. 

The sudden surge in mining activities is also linked to the dwindling prices of cryptocurrencies, not to mention a heightened "battle" to take control of victim systems from competing cryptojacking-focused groups. Monero, in particular, has lost over 20% of its value over the past six months. 

"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner," Hegel concluded. "The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally."

This New RedAlert Ransomware Targets Windows, Linux VMware ESXi Servers

 

RedAlert (aka N13V), a new ransomware threat that encrypts both Windows and Linux VMWare ESXi systems, has been discovered. Concerning the RedAlert ransomware, MalwareHunterTeam uncovered the new ransomware and published various screenshots of its data leak site. Because of a string in the ransom text, the ransomware is known as RedAlert. 

However, the attackers are internally referring to their operation as N13V in the Linux encrypter version. The Linux encryptor is intended for use on VMware ESXi servers, including command-line options that enable attackers to shut down any operating virtual machines before locking data. 

RedAlert, like other enterprise-targeted ransomware operations, conducts double-extortion attacks in which data is taken and then ransomware is used to encrypt machines. The ransomware exclusively targets VMware ESXi virtual machine data, such as memory files, log files, virtual discs, and swap files. 

The ransomware encrypts certain file formats and appends the extension.crypt658 to the file names. The ransomware produces a specific ransom note entitled HOW TO RESTORE in each folder, which includes a description of the stolen data and a link to a TOR ransom payment site. One of RedAlert/features N13V's is the '-x' command-line option, which performs asymmetric cryptography performance testing with various NTRUEncrypt parameter sets. 

During encryption, the ransomware employs the NTRUEncrypt public-key encryption method, which supports several 'Parameter Sets' with varying degrees of protection. Aside from RedAlert, the only other ransomware known to use this form of encryption is FiveHands.  

RedAlert currently lists only one organisation as a victim, however, this may change in the near future. Furthermore, the malware's compatibility for both Windows and Linux shows that it intends to target a broader attack surface. As a result, enterprises should keep an eye on this threat. Always use encryption and access controls to safeguard critical information.

CISA Issues Warning Regarding Active Exploitation of 'PwnKit' Linux Security Bug

 

Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) added a Linux vulnerability called PwnKit to its Known Exploited Vulnerabilities (KEV) catalog and issued a warning regarding active exploitation of the flaw in cyber attacks. 

The vulnerability tracked as CVE-2021-4034 (CVSS score: 7.8), first identified earlier this year in January by the American company Qualys, impacts Polkit, a feature designed for managing system-wide privileges in Unix-like operating systems. Polkit is manufactured by Red Hat, but it’s also employed by other Linux distributions. 

PwnKit, a memory corruption issue, if successfully exploited, might cause pkexec to run arbitrary code, and allow an unprivileged hacker administrative right on the target device to exploit the host. The researchers claim that the vulnerability is installed by default on all Linux distributions and has existed in the pkexec component (graphical interface) since its creation, that is, nearly 13 years. 

The security bug has been identified to impact the products of multiple major firms. Juniper Networks, Moxa, IBM, VMware, Siemens, and others have published advisories to elaborate on the impact of CVE-2021-4034. 

Security researchers have been warned that the threat of malicious exploitation of PwnKit is high since proof-of-concept (PoC) exploits have been available and exploitation is not difficult. 

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog — also known as the agency’s “Must Patch” list — and ordered federal agencies to remediate all the newly listed vulnerabilities by July 18, while private firms have been requested to leverage the flaw catalog to improve their patching and vulnerability management processes.

Security experts noted that while exploitation of CVE-2021-4034 should leave traces in log files, it’s also possible to abuse the vulnerability without leaving such traces. 

In addition to the PwnKit vulnerability, CISA has added seven other flaws to its catalog, including an exploited Mitel VoIP zero-day flaw in ransomware assaults (CVE-2022-29499) and five iOS vulnerabilities (CVE-2020-3837, CVE-2019-8605, CVE-2018-4344, CVE-2020-9907 and CVE-2021-30983) that were recently unearthed as having been exploited by the Italian spyware firm RCS Lab.

CVE-2021-30533, a security vulnerability in web browsers based on Chromium, is also listed in the catalog. This flaw was exploited by a malvertising hacker going by the moniker Yosec in order to deploy malicious payloads.

Backdoor Installed by HelloXD Ransomware , Directed Windows and Linux Devices

 

HelloXD is ransomware that first appeared in November 2021 and does double extortion assaults. Researchers discovered several variations that affect Windows and Linux computers. 

According to a recent analysis from Palo Alto Networks Unit 42, the malware's creator has developed a new encryptor with unique packing for detection avoidance and encryption algorithm tweaks. This is a substantial deviation from the Babuk code, indicating the author's goal to create a new ransomware strain with possibilities and characteristics to allow for more attacks. 

HelloXD ransomware threat 

HelloXD first emerged to the public on November 30, 2021, and is based on Babuk's leaked code, which was published in September 2021 on a Russian-language cybercrime site. 

Palo Alto Networks Unit 42 security researchers Daniel Bunce and Doel Santos said, "Unlike other ransomware, this ransomware does not have an active leak site; instead, it prefers to direct the infected victim to negotiations via Tox chat and onion-based messaging instances." 

The operators of the ransomware family are no exception since they used double extortion to extort cryptocurrencies by exfiltrating a victim's personal data, encrypting key, performing cyber espionage, and threatening to publish it.MicroBackdoor is an open-source malware used for command-and-control (C2) communications to browse the infected system, exfiltrate files, execute orders, and remove traces, according to its developer Dmytro Oleksiuk. 

In March 2022, the Belarusian threat actor nicknamed Ghostwriter (aka UNC1151) used multiple forms of the implant in its cyber operations against Ukrainian governmental agencies. The features of MicroBackdoor allow a hacker to explore the file system, upload and download files, run commands, and delete traces of its activity from compromised PCs. 

Hello XD is a harmful ransomware project in its early stages that is now being deployed in the field. Although infection volumes aren't high now, its active and targeted development paves the way for a more harmful state. By piecing together the actor's digital trail, Unit 42 said it connected the likely Russian vendor behind HelloXD — who passes by the online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme — to further cybercriminals like selling proof-of-concept (PoC) exploits and custom Kali Linux distributions using malicious software. 

During 2019 and 2021, the average lifespan of an enterprise ransomware attack — that is, the period between initial access and ransomware distribution — decreased by 94.34 percent, from nearly two months to just 3.85 days, according to a new report by IBM X-Force.

The role of initial access brokers (IABs) in getting access to victim networks and then selling that access to associates, who then misuse the foothold to install ransomware payloads, has been attributed to the enhanced speed and efficiency trends in the ransomware-as-a-service (RaaS) ecosystem. 

Overall, the data theft by threat actor appears skilled and capable of moving Hello XD forward, so analysts should keep a close eye on its progress.

Symbiote: A Stealth Malware that Attacks Banking Institutions

 

Cybersecurity experts discovered a "nearly-impossible-to-detect" Linux malware that can be exploited to backdoor infected systems. Known as Symbiote by threat intelligence firms Blackberry and intezer, the stealth malware is known for its capability to hide itself in running processes and network traffic and extract the target's data like a parasite. 

The Hacker News says "this is not the first time a malware with similar capabilities has been spotted in the wild. In February 2014, ESET revealed a Linux backdoor called Ebury that's built to steal OpenSSH credentials and maintain access to a compromised server." 

The actors behind Symbiote are believed to have started working on the malware in November 2021, using it for targeting financial institutions in Latin America, which includes banks such as Banco do Brazil and Caixa. 

The main aim of Symbiote is to get credentials and fecilitate backdoor access to the target's systems. What makes Symbiote standout from other Linux malware is that it corrupts running processes instead of using a standalone file execution to cause damage. 

It is done by leveraging a local Linux feature known as LD_PRELOAD- a technique earlier used by malware like Pro-Ocean and Facefish. It is later deployed by the dynamic linker into the running operations and start infecting the host. Other than hiding itself in the file system, Symbiote can also cloak its network traffic via using the extended Berkeley Packet Filter (eBPF) feature. 

The task is attained via injecting the malware into an inspection software's processing and deploying BPF to categorize the results that will disclose the activities. 

"Upon hijacking all running processes, Symbiote enables rootkit functionality to further hide evidence of its existence and provides a backdoor for the threat actor to log in to the machine and execute privileged commands. It has also been observed storing captured credentials encrypted in files masquerading as C header files," reports The Hacker News.

Microsoft Reveals Massive Surge in XorDdos Attacks on Linux Devices

 

XorDdos, a stealthy distributed denial-of-service (DDoS) malware targeting Linux devices has witnessed a massive 254% increase in activity during the last six months, Microsoft revealed in a report.

The malware launches automated password-guessing assaults across thousands of Linux servers to find identical admin credentials used on Secure Shell (SSH) servers. SSH is a secure network communications protocol commonly used for remote system administration. 

Once XorDdos identifies valid SSH credentials, it uses root privileges to run a script that downloads and installs XorDdos on the target device. It also employs XOR-based encryption to communicate with the attacker's command and control infrastructure. 

The malware enables adversaries to create potentially significant disruptions on target systems and is used to bring in other dangerous threats or to provide a vector for follow-on activities. Microsoft found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner. 

"While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it's possible that the trojan is leveraged as a vector for follow-on activities," Microsoft wrote in a blog post. The malware can hide its activities from common detection techniques. In a recent campaign, Microsoft saw it overwriting sensitive files with a null byte. 

"Its evasion capabilities include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis. We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions," Microsoft notes. 

The XorDdos payload Microsoft examined is a 32-bit Linux format ELF file with a modular binary written in C/C++. Microsoft notes that XorDdos uses a daemon process that runs in the background, outside the control of users, and terminates when the system is offline. 

In recent years, XorDdos has targeted misconfigured Docker clusters in the cloud using compromised systems to overwhelm a target network or service with fake traffic in order to render it inaccessible. According to CrowdStrike, XorDdos was one of the most active Linux-based malware families of 2021, with 35% growth compared to the previous year. 

Besides launching DDoS attacks, the malware’s operators use the XorDDoS botnet to install rootkits, maintain access to hacked devices, and, likely, drop additional malicious payloads.

New Nimbuspwn Linux Flaws Could Provide Attackers Root Access

 

Microsoft uncovered vulnerabilities in Linux systems that could be used to grant attackers root access if they were chained together. 

The flaws, dubbed "Nimbuspwn," are detected in networkd-dispatcher, a dispatcher daemon for systemd-networkd connection status changes in Linux, and are labelled as CVE-2022-29799 and CVE-2022-29800. As part of a code review and dynamic analysis effort, Microsoft found the vulnerabilities while listening to signals on the System Bus. 

Microsoft’s Jonathan Bar Or explained, “Reviewing the code flow for networkd-dispatcher revealed multiple security concerns, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues, which could be leveraged to elevate privileges and deploy malware or carry out other malicious activities.”
 
“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.” 

He went on to state that ransomware attackers might use Nimbuspwn as a route for root access in order to have a significant impact on affected machines. Clayton Craft, the maintainer of the networkd-dispatcher, apparently worked promptly to remedy the flaws after responsibly revealing the bugs. 

Linux users who are affected are recommended to apply patches as soon as they become available. Although Nimbuspwn has the potential to affect a huge number of people, attackers would first need local access to the targeted systems in order to exploit the flaws. 

Mike Parkin, senior technical engineer at Vulcan Cyber argued, “Any vulnerability that potentially gives an attacker root-level access is problematic. Fortunately, as is common with many open-source projects, patches for this new vulnerability were quickly released.” 

“While susceptible configurations aren’t uncommon, exploiting these vulnerabilities appears to require a local account and there are multiple ways to mitigate them beyond the recommended patching. There is currently no indication that these vulnerabilities have been exploited in the wild.”

AWS, and Alibaba Cloud was Attacked by Crypto Miners

 

An intel source recently provided Cisco Talos with modified versions of the TeamTNT cybercrime team's infected shell scripts, an earlier version of which was documented by Trend Micro. The malware creator modified these tools after learning that security experts had disclosed the prior version of its scripts. These scripts are intended primarily for Amazon Web Services (AWS), but they might also be used on-premise, in containers, or in other Linux instances. 

There are multiple TeamTNT payloads focusing on bitcoin mining, persistence, and lateral movement employing tactics like identifying and installing on with all Kubernetes pods in a local network, in addition to the primary credential stealer scripts. A script containing user credentials for the distribution system server and another with an API key which may allow remote access to a tmate shared login session is also included. Defense evasion functions aimed at defeating Alibaba cloud security technologies are included in some TeamTNT scripts.

When it comes to decision making obtaining credentials, the script looks for them in the following places and APIs: 

  • It attempts to obtain the string 'AWS' from /proc/*/environ from the Linux system environment variables. 
  • Obtaining the string 'AWS' from Docker environment variables with the command $(docker inspect $) (docker ps -q).
  • /home/.aws/credentials and /root/.aws/credentials are the default AWS CLI credential file locations.
While the query itself will not be caught by Cisco Secure Cloud Analytics, the alert "AWS Temporary Token Persistence" will detect later use of these credentials to generate further temporary credentials. Finally, the virus saves any credentials acquired by the preceding functions to the file "/var/tmp/TeamTNT AWS STEALER.txt" and uses cURL to transfer it to the URL http://chimaera[.]cc/in/AWS.php before deleting it. 

No CloudTrail, GuardDuty, or SCA events were generated when the script ran on the target EC2 instance for all network traffic was restricted by the VPC Security Group such as the script could not access TeamTNT's servers. 

The core of the defense impairment functions is directed against Alibaba Cloud Security's numerous agents, how, they also target Tencent Cloud Monitor and third-party BMC Helix Cloud Security, agents. While the bulk of malicious scripts targets AWS Elastic Compute Cloud (EC2) virtual machines, these bots are most typically detected running inside Alibaba Cloud Elastic Compute Service (ECS) or a Tencent Cloud VM. They could theoretically be put on a VM operating on AWS or any other service, but it would be unusual. TeamTNT makes no attempt to disable AWS CloudWatch, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other popular cloud security tools in the United States. 

The Alibaba defense damage routines have been retrieved and saved here from the script Kubernetes root payload 2.sh. Since static analysis of the defense impairment functions is problematic due to the presence of multiple Base64 encoded strings, those functions have been decrypted and placed back into the file ali-defense-impairment-base64-decoded.sh.txt. 

"Cybercriminals who have been exposed by security researchers should update those tools to keep functioning successfully," stated Darin Smith of Talos. 

The serious remote code execution problem in Spring Framework (CVE-2022-22965) has been leveraged to deploy cryptocurrency miners, in yet another example of how threat actors quickly co-opt recently revealed flaws into existing attacks. To deploy the cryptocurrency miners, the exploitation efforts employ a unique web shell, but not before switching off the firewall and disabling other virtual currency miner processes.

This Linux Flaw in Netfilter Firewall Module Enables Attackers Gain Root Access

 

A local adversary might use a newly reported security vulnerability in the Linux kernel to acquire higher privileges on affected systems and execute arbitrary code, escape containers, or cause a kernel panic. 

Nick Gregory, a senior threat researcher at Sophos, uncovered the flaw. The vulnerability, identified as CVE-2022-25636 (CVSS score: 7.8), affects Linux kernel versions 5.4 through 5.6.10 and is caused by a heap of out-of-bounds written in the kernel's netfilter subcomponent. 

"This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat stated in an advisory published on February 22, 2022. Similar warnings have been released by Debian, Oracle Linux, SUSE, and Ubuntu. 

Netfilter is a Linux kernel framework that allows for packet filtering, network address translation, and port translation, among other networking-related tasks. CVE-2022-25636 is a vulnerability in the framework's handling of the hardware offload function, which might be exploited by a local attacker to cause a denial-of-service (DoS) or execute arbitrary code. 

Gregory said, "Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails. Additionally, while nftables requires CAP_NET_ADMIN, we can unshare into a new network namespace to get this as a (normally) unprivileged user." 

"This can be turned into kernel [return-oriented programming]/local privilege escalation without too much difficulty, as one of the values that are written out of bounds is conveniently a pointer to a net_device structure," Gregory added.

AnchorDNS Loophole of a TrickBot Spyware Upgraded to AnchorMail

 

Even after the TrickBot infrastructure was shut down, the malware's operators continued to improve and retool its arsenal in preparation for attacks which ended in the distribution of the Conti ransomware. The new, improved edition of the criminal gang's AnchorDNS backdoor was called AnchorMail by IBM Security X-Force, which discovered it. 

According to IBM's malware reverse researcher Charlotte Hammond, AnchorMail "uses an email-based [command-and-control] server with which it connects using SMTP and IMAP protocols over TLS." "AnchorMail's behavior is essentially similar to vs its AnchorDNS predecessor, excluding the redesigned C2 communication method." 

The Trickbot Group, also known as ITG23 on X-Force, is a cybercriminal group best known for creating the Trickbot financial Trojan. Originally discovered in 2016, it was used to aid online banking fraud, initially. The gang adapted to the ransomware economy by gaining a footing for ransomware assaults utilizing its Trickbot and Bazarloader payloads, a tight partnership with both the Conti ransomware-as-a-service provider (RaaS). 

ITG23 is also known for creating the Anchor malware framework, which includes the AnchorDNS variant. In 2018 various high-profile targets were being infected with Trickbot or Bazarbackdoor, another ITG23 backdoor. AnchorDNS is known for using the DNS protocol to communicate with its Command and Control (C2) server. The improved backdoor, dubbed AnchorMail or Delegatz by IBM Security X-Force researchers, now communicates with an email-based C2 server through SMTP and IMAP protocols via TLS. AnchorMail's functionality is essentially similar to its AnchorDNS predecessor for most of its part, with the exception of the redesigned C2 communication mechanism. 

The uncovering of this updated Anchor variant adds an extra inconspicuous backdoor during ransomware assaults, demonstrating the group's drive to continually improve its malware. AnchorMail provides a scheduled job for persistence after execution, which is set to execute every 10 minutes. It then gathers basic system data, registers with its C2, and enters a loop of monitoring for and executing commands received. 

The command structure of the backdoor and AnchorDNS appear to be fairly similar, and both forms appear to accept the same set of control codes, which allow a variety of various possibilities for processing orders and payloads received from the C2. The commands include the ability to run binaries, DLLs, and shellcode downloaded from a remote server, as well as launch PowerShell commands and erase themselves from infected PCs. 

"The revelation of this new Anchor version adds a new covert gateway used during ransomware assaults, AnchorMail has only been seen to target Windows PCs so far. However, given the AnchorDNS has been adapted to Linux, a Linux-based version of AnchorMail appears inevitable," said Charlotte Hammond, BM's malware reverse engineer.

Inherent Vulnerability in Linux Puts Russian OS at Risk

 

The vulnerability found in all distributions of the Linux operating system also puts at risk Russian OS based on it, which are used in banks, enterprises, and government agencies. Developers of Russian OS on Linux have already begun to publish updates that close the security gap. But the problem may not be an isolated one, since few people have been engaged in comprehensive research of the Linux source code. 
The vulnerability, called PwnKit, was discovered by the American company Qualys. Experts pointed out that the breach allows attackers to easily obtain administrator rights. The vulnerability is present in the pkexec component. The researchers claim that the vulnerability is installed by default on all Linux distributions and has existed in the pkexec component (graphical interface) since its creation, that is, almost 13 years. 

Kaspersky Lab researcher Boris Larin confirmed that the vulnerability also affected some Russian Linux distributions. The Russian developer RED SOFT, which produces the Russian Red OS based on Linux, acknowledged that the system uses a potentially unsafe module, but noted that the company regularly tests the system and has already released an update. 

It should be noted that administrator rights give unlimited opportunities to attackers, and most likely, within a year, this vulnerability will become the main tool for attacking devices running Linux. "Banks, industrial enterprises, and the public sector can be targeted," said Alexey Malynev, head of the Jet Infosystem Incident Monitoring and Response Center. 

Exploits that allow exploiting the vulnerability appeared a few hours after the information about the problem appeared. Developers have already started releasing security updates to close the gap. 

The revealed vulnerability demonstrates one of the important shortcomings of open source systems. "It seems that it is available, and everyone can check it, but in fact, few people do it, so no one has noticed the vulnerability for years," noted Pavel Korostelev, head of the Security Code product promotion department. 

Dmitry Derzhavin, head of CPI development, emphasizes that modern operating systems are millions of lines of code. "It so happened that no one has looked into this particular line until now, and there is no excuse for this oversight."

XorDDoS, Mirai, and Mozi are Most Prominent Linux-targeted Malware

 

Linux-based computers are numerous and are an integral component of the internet backbone, but Linux malware has increasingly targeted low-power Internet of Things (IoT) devices. With billions of internet-connected devices such as vehicles, refrigerators, and network equipment online, IoT devices have become a prominent target for malware and distributed denial of service (DDoS) attacks, in which junk data is aimed at flooding a target and knocking it offline. 

Although ransomware is currently wreaking havoc on the malware scene in a deluge of high-profile attacks, a recent study on Linux security finds it only ranks third among the top threat kinds. Such shift in attitude stems in part from an increasing recognition among Linux hobbyists and system administrators that a compromised Linux system, such as a web server, presents attackers with a high return on investment.' In addition, malware research has improved visibility into the dangers that Linux systems face in recent years. 

In 2021, the XorDDoS, Mirai, and Mozi malware families and variants emerged to be the most prevalent, accounting for over 22% of all IoT Linux-targeting malware, according to an analysis of the current Linux threat landscape. 

XorDDoS is a Linux trojan that has been developed for a variety of Linux architectures, including ARM, x86, and x64. It gets its name from the fact that it uses XOR encryption in malware and network connection with the C2 infrastructure. XorDDoS variations on Linux PCs demonstrate that operators monitor and hunt for Docker servers with the 2375 port open. The port provides an unencrypted Docker socket and remote root passwordless access to the host, both of which can be exploited by attackers to get root access to the machine. 

Mozi is a P2P botnet network that uses the distributed hash table (DHT) architecture and implements its own expanded DHT. Mozi can mask C2 communication behind a significant volume of valid DHT traffic thanks to DHT's distributed and decentralized lookup method. By brute-forcing SSH and Telnet ports, Mozi attacks computers. It then blocks those ports to prevent additional malicious actors or viruses from overwriting them. 

Mirai virus has earned a name for itself in recent years, especially when its creator made the source code public. Mirai, like Mozi, employs brute-force assaults to infiltrate devices using weak protocols and passwords, such as Telnet.

Many business-critical applications use Linux as one of their core operating systems. Protecting Linux servers, which can be found on-premises as well as in private and public clouds, necessitates a solution that delivers runtime protection and visibility for all Linux hosts, independent of location.

SysJoker, a New Backdoor for Windows, macOS, and Linux has been Discovered

 

A new multi-platform backdoor malware known as 'SysJoker' has been discovered in the wild, targeting Windows, Linux, and macOS and capable of evading detection on all three platforms. SysJoker was identified during an active attack on a renowned educational institution's Linux-based web server.

Researchers discovered that SysJoker also has Mach-O and Windows PE versions after further examination. They believe that the SysJoker attack began in the second half of 2021, based on C2 domain registration and samples detected in VirusTotal. 

SysJoker disguises itself as a system update and creates its C2 by decoding a string from a text file housed on Google Drive. The C2 changed three times during Intezer's analysis, showing that the attacker was active and monitoring for affected machines. 

Intezer believes SysJoker is targeting certain targets based on victimology and malware behavior. SysJoker was submitted to VirusTotal with the TypeScript file extension .ts. An infected npm package could be used as an attack vector for this malware. 

The malware is written in C++, and while each variant is customized for the targeted operating system, they all go undetected by VirusTotal, a malware scanning website that employs 57 different antivirus detection engines. On Windows, SysJoker deploys a first-stage dropper in the form of a DLL that uses PowerShell commands to perform tasks such as fetching the SysJoker ZIP from a GitHub repository, unzipping it on “C:\ProgramData\RecoverySystem\” and executing the payload. 

After then, the virus waits for up to two minutes before establishing a new directory and cloning itself as an Intel Graphics Common User Interface Service ("igfxCUIService.exe"). “Next, SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses different temporary text files to log the results of the commands,” explains Intezer’s report. "These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named “microsoft_Windows.dll”.” 

The report includes detailed indicators of compromise (IOCs) that administrators can use to detect the presence of SysJoker on an infected device. 

On Windows, the malware files are located under the "C:\ProgramData\RecoverySystem" folder, at C:\ProgramData\SystemData\igfxCUIService.exe, and C:\ProgramData\SystemData\microsoft_Windows.dll. On Linux, the files and directories are created under “/.Library/” while persistence is established by creating the following cron job: @reboot (/.Library/SystemServices/updateSystem). On macOS, the files are created on "/Library/” and persistence is achieved via LaunchAgent under the path: /Library/LaunchAgents/com.apple.update.plist.

SFile (Escal) Ransomware Modified for Linux Attacks

 

The SFile ransomware, also known as Escal, has been ported to work and encrypt data on Linux-based operating systems by its developers. 

Attacks with this new Linux edition were discovered late last year, according to a report published last week by Chinese security firm Rising, which was substantiated by The Record with MalwareHunterTeam, one of the developers of the ID-Ransomware project. 

In February 2020, the SFile (Escal) ransomware was first observed in assaults. The first versions were exclusively designed to encrypt Windows systems. The ransomware has been deployed in targeted assaults against corporate and government networks for the previous two years. 

SFile is typically used in these attacks to encrypt data and leave a ransom note instructing victims to contact the attackers via one of three emails and negotiate a ransom for the decryption key. 

A SFile Linux variation was discovered late last year, following a typical trend in the ransomware ecosystem where groups have developed Linux versions of their payloads, with an encryption strategy identical to its original Windows variant but with a few modifications. 

The option to encrypt data depending on a time range, according to MalwareHunterTeam, was the most intriguing of these—as a way to encrypt current files, which may be more important for some victims and are often not included in recent backups. However, the SFile ransomware is one of the few instances where the victim's name appears in the extension appended to each encrypted file. 

Several Chinese firms were among the most recent victims of SFile assaults. According to the Rising report, one of these victims was Chinese IT business Nuctech, which was sanctioned by the US in late 2020 for giving air travel passenger information to the Chinese government—the company's name was identified in encrypted files in a sample discovered by Rising researchers. 

Despite the presence of a Linux variant, the number of SFile attacks is still limited in comparison to the operation of more well-known ransomware families like Conti, LockBit, Grief, and STOP.

Linux Foundation Expert Advices, Open Source Deployment, Fighting Against Vulnerabilities

 

The Census II study's preliminary findings strongly suggest that open source initiatives require supporting toolsets, infrastructure, people, and good governance in order to function as a stable and healthy upstream project for your company. It's not nearly as horrible as it sounds, because not all flaws can be exploited.

Wheeler cited a report from Synopsys, a software security and IoT (Internet of Things) company – each application has an average of 528 open source components, 84% of codebases have at least one vulnerability, and that the average number of vulnerabilities per codebase is 158. An audit of 1,546 codebases was conducted, with a codebase being defined as "the code and accompanying libraries that make up an application or service." "If you're concerned about security, you'll inspect the software." Nonetheless, open-source is possibly safer, because of the long-standing secure software design principle that "the protective method must not rely on attacker ignorance," as outlined in a 1974 work by Jerome Saltzer and Michael Schroeder.

This is a benefit of open-source software. "The many eyes theory works," Wheeler added. Vulnerable software does not get updated, which is a big part of the problem. Many apps and systems do not update all of the components that they use. This is also true for closed source, although "open source software is used a lot more." 

Developers should "learn how to design and acquire secure software," according to the report, which lists a number of free courses, best practices, and tools. A flaw in test-driven development, according to Wheeler, is that the model of writing a test and then writing the code to make the test pass does not include negative tests, implying that there is a need to test to ensure that things that should not happen do not happen. A failure to include negative tests is one of the major issues in many test suites today. It's how the Apple goto fail vulnerability came to be, according to Wheeler, who was referring to this problem. Use caution while dealing with software that hasn't been utilized in a long time. "There will very certainly be no reviewers if there are no users. It's not a problem if you don't utilize it " If it is still required, the remedy is to "look at it yourself." 

In summation, although the problem is difficult to solve, there are several initiatives that may help. The SPDX project, which specifies the "bill of materials" utilized by a software library or application, and the Open Source Security Metrics (OpenSSF) dashboard, which, though still in its early stages, assists developers and users in assessing the security of specific packages. 

CronRAT is a Linux Malware that Hides in Cron Jobs with Invalid Dates

 

Researchers have discovered a novel Linux remote access trojan (RAT) that uses a never-before-seen stealth approach that includes scheduling malicious actions for execution on February 31st, a non-existent calendar day. CronRAT, according to Sansec Threat Research, "enables server-side Magecart data theft that avoids browser-based security solutions." The RAT was spotted on multiple online stores, including the country's largest outlet, according to the Dutch cybersecurity firm. 

CronRAT takes advantage of the Linux task scheduling system cron, which allows tasks to be scheduled on days that do not exist on the calendar, such as February 31st. Even if the day does not exist in the calendar, the Linux cron system accepts date requirements as long as they have a proper format, which implies the scheduled task will not run. CronRAT relies on this to maintain its anonymity. According to research released by Sansec, it hides a "sophisticated Bash programme" in the names of scheduled tasks. 

"The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3," the researchers explained. "These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st." 

The RAT also employs a variety of obfuscation techniques to make analysis more difficult, such as hiding code behind encoding and compression barriers and implementing a custom binary protocol with random checksums to get around firewalls and packet inspectors before establishing communications with a remote control server and waiting for further instructions. The attackers linked to CronRAT can run any code on the infected system with this backdoor access, according to the researchers. 

"Digital skimming is moving from the browser to the server and this is yet another example," Sansec's Director of Threat Research, Willem de Groot, said. "Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface." 

Sansec describes the new malware as “a serious threat to Linux eCommerce servers,” due to its capabilities such as fileless execution, timing modulation, anti-tampering checksums, controlled via binary, obfuscated protocol, launches tandem RAT in separate Linux subsystem, control server disguised as “Dropbear SSH” service and payload hidden in legitimate CRON scheduled task names.

Linux Foundation Patches Critical Critical Code Vulnerability

 

CVE-2021-43267 vulnerability is detailed as a heap overflow Transparent Inter-Process Communication (TIPC) module shipping with Linux kernels to let nodes in a group communicate with each other in a fault-proof way. 'While TIPC itself isn’t loaded automatically by the system and has to be enabled by end users, Van Amerongen said the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation "makes this a dangerous vulnerability" for those that use it in their networks," reports Security Week. 

The flaw can be abused either locally or via remote code execution within a network framework to get kernel privileges, which allows a hacker to exploit an entire system. Experts discovered a bug in most attacks that used Microsoft's CodeQL, an open-source semantic code analysis engine that assists to identify security flaws. As per the experts, the flaw surfaced in the Linux kernel in September last year, after a MSG_CTYPTO (a new message type) was included to let actors distribute cryptographic codes. 

While investigating the code, expert Van Amerongen discovered a “clear-cut kernel heap buffer overflow," along with remote code execution hints. , Vulnerable TIPC module is loaded with main Linux distributions, however, it requires loading in order to trigger the vulnerability and enable the protocol. A patch was shipped by Linux foundation on October 29, confirming the existing vulnerability which affects kernel variants between 5.10 and 5.15. 

As per cybersecurity firm Sentinel One, it hasn't found any proof of vulnerability exploits in the wild. “This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports. As this vulnerability was discovered within a year of its introduction into the codebase, TIPC users should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15,” says cybersecurity expert Van Amerongen.

Linux And FreeBSD Systems Are Being Exploited in the Wild by Hive Ransomware

 

The Hive ransomware group that has been active since mid-2021 reportedly encrypts Linux and FreeBSD with new malware versions designed exclusively for these platforms. 

The Slovak internet security firm ESET revealed that Hive's new encryptors have been under development and require more functionality. During ESET's examination, the Linux edition also turned out to be largely unstable, with encryption collapsing whenever the malware was executed with an explicit route. 

Allowing for a single command-line argument (-no-wipe); Hive's Windows ransomware, on the other hand, has up to five implementation choices, including stopping programs and bypassing disc cleaning, irrelevant data, and older files. 

The Linux variant of the ransomware likewise fails to encrypt when performed without root access since it tries to dump the ransom note on the root file systems of infected computers. "Just like the Windows version, these variants are written in Golang, but the strings, package names, and function names have been obfuscated, likely with gobfuscate," ESET Research Labs said. 

Hive has already infiltrated over 30 organizations, not including victims who declined to pay a ransom. They were amongst several ransomware organizations that have started attacking Linux servers as their business targets gradually shifted to virtual servers for better device management and much more effective resource utilization. Ransomware operators may encode numerous servers with just a single command by targeting virtual machines. 

Security experts eventually identified HelloKitty and BlackMatter ransomware Linux encryptors in the wild in July and August, validating Wosar's claim. 

One month later, it was revealed that a few of these Linux malware variants are also defective and may corrupt victims' data during encryption. Moreover, Snatch and PureLocker ransomware organizations have already employed Linux versions in their attacks.