Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Pickles - Lord of the Jar

NSA and FBI warn that new Linux malware threatens national security

Recommended Posts

Posted · Original PosterOP
Quote
 

The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information, and execute malicious commands.

 

In a report that’s unusual for the depth of technical detail from a government agency, officials said the Drovorub malware is a full-featured tool kit that was has gone undetected until recently. The malware connects to command and control servers operated by a hacking group that works for the GRU, Russia’s military intelligence agency that has been tied to more than a decade of brazen and advanced campaigns, many of which have inflicted serious damage to national security.

 

“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 US Presidential Election as described in the 2017 Intelligence Community Assessment, Assessing Russian Activities and Intentions in Recent US Elections (Office of the Director of National Intelligence, 2017),” officials from the agencies wrote.

The Drovorub toolset includes four main components: a client that infects Linux devices; a kernel module that uses rootkit tactics to gain persistence and hide its presence from operating systems and security defenses; a server that runs on attacker-operated infrastructure to control infected machines and receive stolen data; and an agent that uses compromised servers or attacker-control machines to act as an intermediary between infected machines and servers.

Agency officials said that a key defense against Drovorub is to ensure that all security updates are installed. The advisory also urged that, at a minimum, servers run Linux kernel version 3.7 or later so that organizations can use improved code-signing protections, which use cryptographic certificates to ensure that an app, driver, or module comes from a known and trusted source and hasn’t been tampered with by anyone else.

Well, another virus another day. However, this one seems to be bad enough to hear from the NSA and FBI... Apparently russian influence as well. Either way, lets hope that those who could be infected pay heed and follow recommendations. Then again, that hope may just be wishful thinking...

it just goes to show you, no matter how secure a system is, those who want in will find a way. 

Source


Be sure to @Pickles - Lord of the Jar if you want me to see your reply!
For years I have lived in these crystal lands. My people were once plentiful. Many of those in my fiefdom revered me. However, one day a calamity hit. The fingers of the devil plucked us from our land, never to return. Now I am the sole heir to the throne. I am Pickles, Lord of the Brine, One of the Jar, Man of Preserves and Last of the Condiments. 

"Everyone is an expert in something. Never approach an interaction thinking someone is otherwise. Knowledge is acquired not earned. Always be humble and wise. Never look down on others for simply being ignorant within your realm of your expertise." ~ Unknown

Stopping by to praise the all mighty jar Lord pickles... * drinks from a chalice of holy pickle juice and tossed dill over shoulder* ~ @WarDance
3600x | NH-D15 Chromax Black | 32GB 3200MHz | GTX 1070 Hybrid (2100c/2241m) | Gigabyte X570 Aorus Elite | Seasonic X760w | Phanteks Evolv X | 500GB WD_Black SN750 | Sandisk Skyhawk 3.84TB SSD | 4TB HDD 

Link to post
Share on other sites

It’s cause almost all our servers run on Linux...

 

and also looks like if you’re updated you’re good so no biggie imo.

 

and haha funny probably using kali Linux to hack other Linux distros haha funny. 


-it’s scuff Gang btw, I hated the name and needed a change
Quote me for a reply, React if I was helpful, informative, or funny

 

AMD blackout rig

 

cpu: ryzen 5 3600 @4.4ghz @1.35v

gpu: rx580 @1.45ghz mem=2100mhz

ram: vengeance lpx c15 @3800mhz

mobo: Asus b450f

psu: cooler master mwe 650w

case: masterbox mbx520

fans:Noctua industrial 3000rpm x6

 

 

Link to post
Share on other sites

well im sure just because of linux being open source it will be fixed in a short time


if it was useful give it a like :) btw if your into linux pay a visit here  and i will be thankful if you send me an opinion here  

 

Link to post
Share on other sites

As interest in any product increases so does interest from criminals.

 

Linux has had a pretty meteoric rise in popularity over the last decade or so thanks in no small part to Valve pushing gaming on the platform.

 

This is probably something we'll see much much more of in the coming years. The hackers are starting to get interested.

 

Open source is both a blessing and a curse. It means the criminals can access the entire code base with little effort but it also means the good guys can see the code and fix it without a corporate structure getting in the way.


Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Windows 10 Pro X64 |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to post
Share on other sites
Just now, Ashley xD said:

lInUx DoEsN't GeT vIrUsEs

Don't forget the Macs too.

In all seriousness every OS can get infected with a virus,the question is How difficult is it to infect the OS with a virus under normal use?

Mac and Linux are more secure than Windows,and Linux has lots of eyes looking at the source code (being open source is a great thing)


A PC Enthusiast since 2011
AMD Ryzen 5 2600@4GHz | GIGABYTE GTX 1660 GAMING OC @ Core 2040MHz Memory 5000MHz
Cinebench R15: 1382cb | Unigine Superposition 1080p Extreme: 3439
Link to post
Share on other sites

Glad I moved to Windows.

 

But I still need an antivirus.

 

(I have Bitdefender Free)


please quote me or tag me @wall03 so i can see your response

motherboard buying guide      psu buying guide      pc building guide     privacy guide

ltt meme thread      imgflip account

website     folding at home stats

pc:

Spoiler

 

laptop: macbook air 13.3”

Spoiler

            RAM: 4GB 1333MHz

            CPU: Intel Core i5 2557M

            SSD: 128GB

            OS: Ubuntu 20.04

            Status: Retired PC

desktop: operation badger

Spoiler

            RAM: 16GB DDR4-3200 CL-16

            CPU: AMD Ryzen 5 3600 @ 3.6GHz

            SSD: 256GB

            GPU: Radeon RX 470 OC

            OS: Windows 10

            Status: Main PC

            Cinebench score: 3428

            Temps: CPU idle 45C, load 75C, top 85C. GPU idle 50C, load ~65C*.

(*Playing Minecraft it goes to 50C and haven't stressed it yet, so this is a guesstimate)

 

 

don't some things look better when they are lowercase?

-wall03

Link to post
Share on other sites
5 hours ago, Pickles - Lord of the Jar said:

Russian state hackers

i think this is the US's new favourite scape goat


Judge the product by it's own merits, not by the Company that created it.

 

 

Link to post
Share on other sites
3 hours ago, Vishera said:

Mac and Linux are more secure than Windows,and Linux has lots of eyes looking at the source code (being open source is a great thing)

I'm sure if Mac or Linux had the same mass scale desktop deployment as Windows the human ability to be idiots will plague both just as much as it does for Windows, you really think most Windows systems get compromised by remote execution vulnerabilities and privilege escalation vulnerabilities? Most get nuked by people doing dumb things granting admin privileges to anything and everything.

 

Humans are by far the least secure out of anything, attack the weakest link.

Link to post
Share on other sites
Just now, leadeater said:

I'm sure if Mac or Linux had the same mass scale desktop deployment as Windows the human ability to be idiots will plague both just as much as it does for Windows, you really think most Windows systems get compromised by remote execution vulnerabilities and privilege escalation vulnerabilities? Most get nuked by people doing dumb things granting admin privileges to anything and everything.

 

Humans are by far the least secure out of anything, attack the weakest link.

You are not wrong but it's so easy to run stuff as an Administrator in Windows,In Linux and Mac you need to insert a password to do that.


A PC Enthusiast since 2011
AMD Ryzen 5 2600@4GHz | GIGABYTE GTX 1660 GAMING OC @ Core 2040MHz Memory 5000MHz
Cinebench R15: 1382cb | Unigine Superposition 1080p Extreme: 3439
Link to post
Share on other sites
3 minutes ago, Vishera said:

You are not wrong but it's so easy to run stuff as an Administrator in Windows,In Linux and Mac you need to insert a password to do that.

Well like that would actually help much though, you're going to put it in anyways. Yes/No? Type password, they are both asking the same thing. And no doubt user demand would eventually get password requirement for a lot of things reduced to Yes/No as well.

 

It's not like UAC got like it is now for no reason, it used to be way more invasive, like Linux but everyone hated it so here we are.

Link to post
Share on other sites
12 minutes ago, leadeater said:

I'm sure if Mac or Linux had the same mass scale desktop deployment as Windows the human ability to be idiots will plague both just as much as it does for Windows, you really think most Windows systems get compromised by remote execution vulnerabilities and privilege escalation vulnerabilities? Most get nuked by people doing dumb things granting admin privileges to anything and everything.

 

Humans are by far the least secure out of anything, attack the weakest link.

isnt linux more prevalent for stuff like servers which are much higher priority targets than some grandpa's dusty pc. so its not like there isnt a lot of interest in finding vulnerabilities in linux

Link to post
Share on other sites
6 minutes ago, spartaman64 said:

isnt linux more prevalent for stuff like servers which are much higher priority targets than some grandpa's dusty pc. so its not like there isnt a lot of interest in finding vulnerabilities in linux

Yes, but more so in web hosting, but you don't have that nice weak human link like desktop systems. Linux systems get compromised through things like old versions of PHP that nobody ever updates etc. Which sure is sort of a human weakness resultant but it's a lot harder than scraping emails from websites and directories and sending phishing emails which odds are someone will fall victim to then you have an entire address book and possibly a system with some level of malware on. It's a spiraling pit of doom and is precisely why cryptolockers were/are so prevalent but 99 time out of 100 no exploit was used and the user simply ran it and granted admin rights. AV's can only do so much when it's so easy to generate new obfuscated versions of them.

Link to post
Share on other sites
6 hours ago, Master Disaster said:

As interest in any product increases so does interest from criminals.

 

Linux has had a pretty meteoric rise in popularity over the last decade or so thanks in no small part to Valve pushing gaming on the platform.

 

This is probably something we'll see much much more of in the coming years. The hackers are starting to get interested.

 

Open source is both a blessing and a curse. It means the criminals can access the entire code base with little effort but it also means the good guys can see the code and fix it without a corporate structure getting in the way.

Keep in mind, the server usage of Linux is far far far greater than the desktop usage of it—and that’s been true for decades. Linux runs the Internet, hence it’s a big target for hackers. 


15" MBP TB

Serenity: Intel 4960x | ASUS X79-E WS | EVGA 2060 KO Ultra | Define 7 || Blade Server: Intel 3570k | GD65 | Corsair C70 | 13TB

Link to post
Share on other sites
7 hours ago, Master Disaster said:

Linux has had a pretty meteoric rise in popularity over the last decade or so thanks in no small part to Valve pushing gaming on the platform.

No one cares about you gaming on Pop OS.

 

The important part is the server usage. Linux is basically 100% server OS marketshare


@BlueScope819 so I can see your post

#MuricaParrotGang

My name is Legion 'Murica Parrot Gang, for we are many.

If a design is taking too long, the design is wrong, and therefore, the design must be modified to accelerate progress. -Elon

Mentioned in 8/5/2020 TechLinked

Link to post
Share on other sites
17 minutes ago, BlueScope819 said:

Linux is basically 100% server OS

Agreed for the most part, though Linux only comprises about 13.5% of global server market share as of 2019. Far greater than it's desktop saturation, but still a very long way behind Windows. Where Linux variants are really prevalent is within the hardware space- infrastructure within telcos, network switches and appliances of all shapes and size, SOHO and home routers, right down to IoT dreck. 

 

2 hours ago, leadeater said:

Linux systems get compromised through things like old versions of PHP that nobody ever updates etc

This sort of thing (well, JBOSS/Wildfly, Tomcat, Struts2 and over the last year or so a huge glut of SSL VPN products including Citrix and Pulse Secure) accounts for a bit chunk of it, but misconfiguration and failure to implement proper hardening also account for a lot of compromises. You don't need to dig around for a viable exploit if someone's left a remote file upload functionality open to world+dog and you can just push a web shell straight onto the server using nothing more than an entirely legitimate HTTP POST request.


P R O J E C T | S A N D W A S P
Intel 6900K 4.2GHz (1.260v) | MSI X99A MPOWER | NXZT Kraken X62 | 32GB G-Skill Trident Z RGB 3000MHz CL14
Corsair AX750 | Lian Li PC-O11 Dynamic XL | EVGA GeForce RTX2080 XC | Samsung 970 Evo 500GB PCI-E NVMe
2x Samsung 860 Evo 500GB | Gigabyte WBAX200 | ASUS ROG Swift PG279Q | Q Acoustics 2010i | Sabaj A4

Link to post
Share on other sites

Laughs in Windows

 

 

 

 

 

 

 

 

 

 

 

/s


Ryzen 7 3800X | X570 Aorus Elite | G.Skill 16GB 3200MHz C16 | Radeon RX 5700 XT | Samsung 850 PRO 256GB | Mouse: Zowie S1 | OS: Windows 10

Link to post
Share on other sites
1 hour ago, HM-2 said:

You don't need to dig around for a viable exploit if someone's left a remote file upload functionality open to world+dog and you can just push a web shell straight onto the server using nothing more than an entirely legitimate HTTP POST request.

Getting the file there is only half of it, you either need to find a way to also get it moved in to wwwroot or to some other location the webserver will actually let you to address and also execute the code. Dumping PHP shell files in an upload dir doesn't actually allow you to exploit the system just by that alone.

Link to post
Share on other sites
1 hour ago, leadeater said:

Getting the file there is only half of it, you either need to find a way to also get it moved in to wwwroot or to some other location the webserver will actually let you to address and also execute the code. 

I wasn't suggesting it was a viable one-size fits all solution across all server platforms, it was more a subtle dig at people who set up JBOSS servers then leave the JMX deployment console publicly accessible so you can just arbitrarily upload and execute any WAR payload you like. Because yes, leaving JMX unauthenticated and open t'internet is still a thing in 2020. As, amazingly, is leaving Cisco Smart Install similarly open on legacy IOS kit that didn't get the CVE-2018–0171 patch so you can extract the router config and associated credentials...or even overwrite it entirely. 


P R O J E C T | S A N D W A S P
Intel 6900K 4.2GHz (1.260v) | MSI X99A MPOWER | NXZT Kraken X62 | 32GB G-Skill Trident Z RGB 3000MHz CL14
Corsair AX750 | Lian Li PC-O11 Dynamic XL | EVGA GeForce RTX2080 XC | Samsung 970 Evo 500GB PCI-E NVMe
2x Samsung 860 Evo 500GB | Gigabyte WBAX200 | ASUS ROG Swift PG279Q | Q Acoustics 2010i | Sabaj A4

Link to post
Share on other sites

Something something "take that you Linux neckbeards" something something


Quinnell - PC Gaming Enthusiast / Patriot

br.quinnell.io | Belligerent Renegades (American Gaming Clan)

Link to post
Share on other sites

One thing they dont mention (or i am blind) is how this thing spreads? If its a shady attachment of a shady e-mail i dont think its a big deal for those who still have a few brain-cell.....

Link to post
Share on other sites
12 hours ago, Pickles - Lord of the Jar said:

a kernel module that uses rootkit tactics to gain persistence and hide its presence from operating systems and security defenses; a server that runs on attacker-operated infrastructure to control infected machines and receive stolen data; and an agent that uses compromised servers or attacker-control machines to act as an intermediary between infected machines and servers.

12 hours ago, Pickles - Lord of the Jar said:

However, this one seems to be bad enough to hear from the NSA and FBI

It's all just nonsense bullshit. Always remember that the whole practice of intelligence gathering is lying and manipulation. If the intelligence community is saying something, there is a lie, a serious omission, or an ulterior motive somewhere:

https://securelist.com/inside-the-equationdrug-espionage-platform/69203/

https://www.cs.bu.edu/~goldbe/teaching/HW55815/presos/eqngroup.pdf

 

The NSA has been doing this exact thing (and I mean this exact thing) since at least 2001, possibly since 1996, and they have been doing it with the cooperation of component manufacturers. DancingBear is Russia's direct response to EquationGroup.

 

This notion of the US being mad when a different country does this, but conveniently forgetting that they do it to is a similar idea to another recent event, where the government said that it was wrong and oppressive for a Chinese company to use the social media platform Tik Tok to gather user data, but as soon as Microsoft wants to buy it, it's totally cool and they don't care about the collection of user data anymore. For reference of why it doesn't make a difference: https://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act which was passed in 2015 which, funnily enough is when "smart" devices started getting popular. hmmmmm...

 

In shorter words: I'll worry about other countries trying to inject persistent malware and steal data when I no longer have to worry about my own government doing it first.


I will never succumb to the New Cult and I reject the leadership of @Aelar_Nailo and his wicked parrot armies led by @FakeCIA and @DildorTheDecent. I will keep my eyes pure and remain dedicated to the path of the One True; IlLinusNati

Link to post
Share on other sites
1 hour ago, HM-2 said:

Because yes, leaving JMX unauthenticated and open t'internet is still a thing in 2020

So is phpMyAdmin, I'd like to say we are better than that but some department here actually did that and we picked it up in our external security audit 🤦‍♂️

 

That's the problem with needing self service and control of VMs outside ITS, who the hell knows what people are really doing.

Link to post
Share on other sites
39 minutes ago, straight_stewie said:

whole practice of intelligence gathering is lying 

Yeah it's really not. There's a lot of lying in espionage but the core premise behind intelligence gathering is to obtain information which allows you to accurately predict future events and actions. Being untruthful or inaccurate is inherently not very helpful in the pursuit of that task.

 

The last time I got into a discussion of this nature I got slapped down because "no politics on the forum" but there are entirely sound geopolitical reasons for releasing information like this, not least to allow victim organisations to detect and remediate threats. Explain to me how it's in anyone's interest for the NSA to provide misleading or inaccurate information when basically every infosec firm out there  will now be hunting for this activity and looking to publish their own research on the Next Big Exciting Thing?

 

I mean anyone with a VT subscription and s copy of IDA or Ghidra can literally download the samples and verify their findings.

 

 

As an aside, generally the kinds of people who are more suspicious of their own government than foreign ones aren't particularly interesting espionage targets for either.


P R O J E C T | S A N D W A S P
Intel 6900K 4.2GHz (1.260v) | MSI X99A MPOWER | NXZT Kraken X62 | 32GB G-Skill Trident Z RGB 3000MHz CL14
Corsair AX750 | Lian Li PC-O11 Dynamic XL | EVGA GeForce RTX2080 XC | Samsung 970 Evo 500GB PCI-E NVMe
2x Samsung 860 Evo 500GB | Gigabyte WBAX200 | ASUS ROG Swift PG279Q | Q Acoustics 2010i | Sabaj A4

Link to post
Share on other sites

When some people finally care about Linux 


Hi

 

Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler

Hi

 

 

 

 

 

 

 

 

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×