NSA and FBI warn that new Linux malware threatens national security

[Pickles von Brine]

Quote

 

The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information, and execute malicious commands.

 

In a report that’s unusual for the depth of technical detail from a government agency, officials said the Drovorub malware is a full-featured tool kit that was has gone undetected until recently. The malware connects to command and control servers operated by a hacking group that works for the GRU, Russia’s military intelligence agency that has been tied to more than a decade of brazen and advanced campaigns, many of which have inflicted serious damage to national security.

 

“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 US Presidential Election as described in the 2017 Intelligence Community Assessment, Assessing Russian Activities and Intentions in Recent US Elections (Office of the Director of National Intelligence, 2017),” officials from the agencies wrote.

The Drovorub toolset includes four main components: a client that infects Linux devices; a kernel module that uses rootkit tactics to gain persistence and hide its presence from operating systems and security defenses; a server that runs on attacker-operated infrastructure to control infected machines and receive stolen data; and an agent that uses compromised servers or attacker-control machines to act as an intermediary between infected machines and servers.

Agency officials said that a key defense against Drovorub is to ensure that all security updates are installed. The advisory also urged that, at a minimum, servers run Linux kernel version 3.7 or later so that organizations can use improved code-signing protections, which use cryptographic certificates to ensure that an app, driver, or module comes from a known and trusted source and hasn’t been tampered with by anyone else.

Well, another virus another day. However, this one seems to be bad enough to hear from the NSA and FBI... Apparently russian influence as well. Either way, lets hope that those who could be infected pay heed and follow recommendations. Then again, that hope may just be wishful thinking...

it just goes to show you, no matter how secure a system is, those who want in will find a way. 

Source

[Letgomyleghoe]

It’s cause almost all our servers run on Linux...

 

and also looks like if you’re updated you’re good so no biggie imo.

 

and haha funny probably using kali Linux to hack other Linux distros haha funny. 

[mahyar]

well im sure just because of linux being open source it will be fixed in a short time

[Master Disaster]

As interest in any product increases so does interest from criminals.

 

Linux has had a pretty meteoric rise in popularity over the last decade or so thanks in no small part to Valve pushing gaming on the platform.

 

This is probably something we'll see much much more of in the coming years. The hackers are starting to get interested.

 

Open source is both a blessing and a curse. It means the criminals can access the entire code base with little effort but it also means the good guys can see the code and fix it without a corporate structure getting in the way.

[Ashley MLP Fangirl]

lInUx DoEsN't GeT vIrUsEs

[Vishera]

Just now, Ashley said:

lInUx DoEsN't GeT vIrUsEs

Don't forget the Macs too.

In all seriousness every OS can get infected with a virus,the question is How difficult is it to infect the OS with a virus under normal use?

Mac and Linux are more secure than Windows,and Linux has lots of eyes looking at the source code (being open source is a great thing)

[wall03]

Glad I moved to Windows.

 

But I still need an antivirus.

 

(I have Bitdefender Free)

[Arika]

5 hours ago, Pickles - Lord of the Jar said:

Russian state hackers

i think this is the US's new favourite scape goat

[leadeater]

3 hours ago, Vishera said:

Mac and Linux are more secure than Windows,and Linux has lots of eyes looking at the source code (being open source is a great thing)

I'm sure if Mac or Linux had the same mass scale desktop deployment as Windows the human ability to be idiots will plague both just as much as it does for Windows, you really think most Windows systems get compromised by remote execution vulnerabilities and privilege escalation vulnerabilities? Most get nuked by people doing dumb things granting admin privileges to anything and everything.

 

Humans are by far the least secure out of anything, attack the weakest link.

[Vishera]

Just now, leadeater said:

I'm sure if Mac or Linux had the same mass scale desktop deployment as Windows the human ability to be idiots will plague both just as much as it does for Windows, you really think most Windows systems get compromised by remote execution vulnerabilities and privilege escalation vulnerabilities? Most get nuked by people doing dumb things granting admin privileges to anything and everything.

 

Humans are by far the least secure out of anything, attack the weakest link.

You are not wrong but it's so easy to run stuff as an Administrator in Windows,In Linux and Mac you need to insert a password to do that.

[leadeater]

3 minutes ago, Vishera said:

You are not wrong but it's so easy to run stuff as an Administrator in Windows,In Linux and Mac you need to insert a password to do that.

Well like that would actually help much though, you're going to put it in anyways. Yes/No? Type password, they are both asking the same thing. And no doubt user demand would eventually get password requirement for a lot of things reduced to Yes/No as well.

 

It's not like UAC got like it is now for no reason, it used to be way more invasive, like Linux but everyone hated it so here we are.

[spartaman64]

12 minutes ago, leadeater said:

I'm sure if Mac or Linux had the same mass scale desktop deployment as Windows the human ability to be idiots will plague both just as much as it does for Windows, you really think most Windows systems get compromised by remote execution vulnerabilities and privilege escalation vulnerabilities? Most get nuked by people doing dumb things granting admin privileges to anything and everything.

 

Humans are by far the least secure out of anything, attack the weakest link.

isnt linux more prevalent for stuff like servers which are much higher priority targets than some grandpa's dusty pc. so its not like there isnt a lot of interest in finding vulnerabilities in linux

[leadeater]

6 minutes ago, spartaman64 said:

isnt linux more prevalent for stuff like servers which are much higher priority targets than some grandpa's dusty pc. so its not like there isnt a lot of interest in finding vulnerabilities in linux

Yes, but more so in web hosting, but you don't have that nice weak human link like desktop systems. Linux systems get compromised through things like old versions of PHP that nobody ever updates etc. Which sure is sort of a human weakness resultant but it's a lot harder than scraping emails from websites and directories and sending phishing emails which odds are someone will fall victim to then you have an entire address book and possibly a system with some level of malware on. It's a spiraling pit of doom and is precisely why cryptolockers were/are so prevalent but 99 time out of 100 no exploit was used and the user simply ran it and granted admin rights. AV's can only do so much when it's so easy to generate new obfuscated versions of them.

[Blade of Grass]

6 hours ago, Master Disaster said:

As interest in any product increases so does interest from criminals.

 

Linux has had a pretty meteoric rise in popularity over the last decade or so thanks in no small part to Valve pushing gaming on the platform.

 

This is probably something we'll see much much more of in the coming years. The hackers are starting to get interested.

 

Open source is both a blessing and a curse. It means the criminals can access the entire code base with little effort but it also means the good guys can see the code and fix it without a corporate structure getting in the way.

Keep in mind, the server usage of Linux is far far far greater than the desktop usage of it—and that’s been true for decades. Linux runs the Internet, hence it’s a big target for hackers. 

[HM-2]

17 minutes ago, BlueScope819 said:

Linux is basically 100% server OS

Agreed for the most part, though Linux only comprises about 13.5% of global server market share as of 2019. Far greater than it's desktop saturation, but still a very long way behind Windows. Where Linux variants are really prevalent is within the hardware space- infrastructure within telcos, network switches and appliances of all shapes and size, SOHO and home routers, right down to IoT dreck. 

 

2 hours ago, leadeater said:

Linux systems get compromised through things like old versions of PHP that nobody ever updates etc

This sort of thing (well, JBOSS/Wildfly, Tomcat, Struts2 and over the last year or so a huge glut of SSL VPN products including Citrix and Pulse Secure) accounts for a bit chunk of it, but misconfiguration and failure to implement proper hardening also account for a lot of compromises. You don't need to dig around for a viable exploit if someone's left a remote file upload functionality open to world+dog and you can just push a web shell straight onto the server using nothing more than an entirely legitimate HTTP POST request.

[Doobeedoo]

Laughs in Windows

 

 

 

 

 

 

 

 

 

 

 

/s

[leadeater]

1 hour ago, HM-2 said:

You don't need to dig around for a viable exploit if someone's left a remote file upload functionality open to world+dog and you can just push a web shell straight onto the server using nothing more than an entirely legitimate HTTP POST request.

Getting the file there is only half of it, you either need to find a way to also get it moved in to wwwroot or to some other location the webserver will actually let you to address and also execute the code. Dumping PHP shell files in an upload dir doesn't actually allow you to exploit the system just by that alone.

[HM-2]

1 hour ago, leadeater said:

Getting the file there is only half of it, you either need to find a way to also get it moved in to wwwroot or to some other location the webserver will actually let you to address and also execute the code. 

I wasn't suggesting it was a viable one-size fits all solution across all server platforms, it was more a subtle dig at people who set up JBOSS servers then leave the JMX deployment console publicly accessible so you can just arbitrarily upload and execute any WAR payload you like. Because yes, leaving JMX unauthenticated and open t'internet is still a thing in 2020. As, amazingly, is leaving Cisco Smart Install similarly open on legacy IOS kit that didn't get the CVE-2018–0171 patch so you can extract the router config and associated credentials...or even overwrite it entirely. 

[Quinnell]

Something something "take that you Linux neckbeards" something something

[jagdtigger]

One thing they dont mention (or i am blind) is how this thing spreads? If its a shady attachment of a shady e-mail i dont think its a big deal for those who still have a few brain-cell.....

[straight_stewie]

12 hours ago, Pickles - Lord of the Jar said:

a kernel module that uses rootkit tactics to gain persistence and hide its presence from operating systems and security defenses; a server that runs on attacker-operated infrastructure to control infected machines and receive stolen data; and an agent that uses compromised servers or attacker-control machines to act as an intermediary between infected machines and servers.

12 hours ago, Pickles - Lord of the Jar said:

However, this one seems to be bad enough to hear from the NSA and FBI

It's all just nonsense bullshit. Always remember that the whole practice of intelligence gathering is lying and manipulation. If the intelligence community is saying something, there is a lie, a serious omission, or an ulterior motive somewhere:

https://securelist.com/inside-the-equationdrug-espionage-platform/69203/

https://www.cs.bu.edu/~goldbe/teaching/HW55815/presos/eqngroup.pdf

 

The NSA has been doing this exact thing (and I mean this exact thing) since at least 2001, possibly since 1996, and they have been doing it with the cooperation of component manufacturers. DancingBear is Russia's direct response to EquationGroup.

 

This notion of the US being mad when a different country does this, but conveniently forgetting that they do it to is a similar idea to another recent event, where the government said that it was wrong and oppressive for a Chinese company to use the social media platform Tik Tok to gather user data, but as soon as Microsoft wants to buy it, it's totally cool and they don't care about the collection of user data anymore. For reference of why it doesn't make a difference: https://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act which was passed in 2015 which, funnily enough is when "smart" devices started getting popular. hmmmmm...

 

In shorter words: I'll worry about other countries trying to inject persistent malware and steal data when I no longer have to worry about my own government doing it first.

[leadeater]

1 hour ago, HM-2 said:

Because yes, leaving JMX unauthenticated and open t'internet is still a thing in 2020

So is phpMyAdmin, I'd like to say we are better than that but some department here actually did that and we picked it up in our external security audit 

 

That's the problem with needing self service and control of VMs outside ITS, who the hell knows what people are really doing.

[HM-2]

39 minutes ago, straight_stewie said:

whole practice of intelligence gathering is lying 

Yeah it's really not. There's a lot of lying in espionage but the core premise behind intelligence gathering is to obtain information which allows you to accurately predict future events and actions. Being untruthful or inaccurate is inherently not very helpful in the pursuit of that task.

 

The last time I got into a discussion of this nature I got slapped down because "no politics on the forum" but there are entirely sound geopolitical reasons for releasing information like this, not least to allow victim organisations to detect and remediate threats. Explain to me how it's in anyone's interest for the NSA to provide misleading or inaccurate information when basically every infosec firm out there  will now be hunting for this activity and looking to publish their own research on the Next Big Exciting Thing?

 

I mean anyone with a VT subscription and s copy of IDA or Ghidra can literally download the samples and verify their findings.

 

 

As an aside, generally the kinds of people who are more suspicious of their own government than foreign ones aren't particularly interesting espionage targets for either.

[Drama Lama]

When some people finally care about Linux 

[Drama Lama]

7 hours ago, leadeater said:

Humans are by far the least secure out of anything, attack the weakest link.

Some system Admins can tell you hour of rage causing stories about some people in the companies they are working 

 

( don’t click on the only option, simply not googling the problem and then calling the IT department , or clicking everything they wouldn’t if it was their own private device)