Tag Archive for: linux

A near-miss hack of Linux shows the vulnerability of the internet

/in


One of the most fascinating and frightening incidents in computer security history started in 2022 with a few pushy emails to the mailing list for a small, one-person open source project.

A user had submitted a complex bit of code that was now waiting for the maintainer to review. But a different user with the name Jigar Kumar felt that this wasn’t happening fast enough. “Patches spend years on this mailing list,” he complained. “5.2.0 release was 7 years ago. There is no reason to think anything is coming soon.”.

A month later, he followed up: “Over 1 month and no closer to being merged. Not a suprise.” [sic]

And a month after that: “Is there any progress on this?” Kumar stuck around for about four months complaining about the pace of updates and then was never heard from again.

A few weeks ago, the world learned a shocking twist. “Jigar Kumar” does not seem to exist at all. There are no records of any person by that name outside the pushy emails. He — along with a number of other accounts — was apparently part of a campaign to compromise nearly every Linux-running computer in the world. (Linux is an open source operating system — as opposed to closed systems from companies like Apple — that runs on tens of millions of devices.)

That campaign, experts believe, was likely the work of a well-resourced state actor, one who almost pulled off an attack that could have made it possible for the attackers to remotely access millions of computers, effectively logging in as anyone they wanted. The security ramifications would have been huge.

How to (almost) hack everything

Here’s how events played out: In 2005, software engineer Lasse Collin wrote a series of tools for better-compressing files (it’s similar to the process behind a .zip file). He made those tools available for free online, and lots of larger projects incorporated Collin’s work, which was eventually called XZ Utils.

Collin’s tool became one part of the vast open source ecosystem that powers much of the modern internet. We might think that something as central to modern life as the internet has a professionally maintained structure, but as an XKCD comic published well before the…

Source…

How to Analyse Linux Malware in ANY.RUN

/in


Linux, traditionally viewed as a more secure operating system than Windows, has experienced a notable increase in malware attacks. In 2022, Linux malware incidents surged by 50%, significantly increasing and highlighting the critical need for robust analysis and defense mechanisms.

This article explores the importance of Linux malware analysis and presents detailed case studies using ANY.RUN’s advanced malware analysis platform.

ANY.RUN is a cloud-based environment for analyzing Windows malware and Linux-based samples. Malware analysts, SOC, DFIR teams can safely examine threats, simulate different scenarios, and gain insights into malware behavior to improve cybersecurity strategies.

ANY.RUN also allows researchers to understand malware behavior, collect IOCs, and easily map malicious actions to TTPs—all in our interactive sandbox.

 The Threat Intelligence Lookup platform helps security researchers find relevant threat data from sandbox tasks of ANY.RUN.

The Rising Threat to Linux Systems

Despite Linux’s reputation for enhanced security, its widespread deployment, especially in server environments, has made it an attractive target for cybercriminals.

The prevalence of DDoS botnets on Linux systems underscores the operating system’s vulnerability to sophisticated attacks.

The escalation of Linux malware presents a pressing challenge for cybersecurity professionals, necessitating comprehensive analysis to understand malware behavior and implement effective countermeasures.

Document

Analyse Shopisticated Malware with ANY.RUN

More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

Importance of Linux Malware Analysis

Analyzing malware samples is pivotal for cybersecurity defenses. Analysts can use detailed examination to identify malware’s operational characteristics, understand its impact on infected systems, and gather indicators of compromise (IOCs).

To protect against Linux-based threats, these tips are essential for setting up Web Application Firewalls (WAF), Security Information and Event Management…

Source…

NoaBot: Another Mirai Botnet Strikes at Linux Devices

/in


Akamai’s team of security experts has discovered a new cryptomining campaign, dubbed NoaBot, leveraging the SSH protocol to spread its malware.

Mirai is a self-propagating worm that can turn consumer devices running Linux on ARC processors into remotely controlled bots. For over seven years now, it’s been used to launch Distributed Denial of Service (DDoS) attacks and, of course, to spread cryptominer malware. That’s where the money is, after all.

Now, Akamai security researchers have discovered a new Mirai variation, NoaBot, that deploys a modified version of the XMRig cryptominer.

What makes this latest version interesting is that instead of relying on Telnet to spread its malware, it used SSH. It does this by initiating a connection, sending a simple “hi” message, and then terminating the connection. This quick scanning strategy aids in keeping a low profile.

It also comes with all the usual Mirai nastiness, such as a scanner module and an attacker module, hiding its process name, etc. NoaBot also seeks to install itself as a crontab entry so that it will run even after an infected device is rebooted. Once in place, it will also try to spread itself to other vulnerable systems.

In addition, it uses an obfuscated configuration and a custom mining pool to disguise itself from investigators. This approach effectively conceals the wallet address, complicating efforts to track the campaign’s profitability.

Interestingly, unlike Mirai, which is usually compiled with GCC, NoaBot is compiled with uClibc. This appears to change how antivirus engines detect the malware. While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures show as an SSH scanner or a generic trojan. The malware also comes statically compiled and stripped of any symbols making reverse engineering it harder.

The P2PInfect Connection

Oddly, there seems to be a link between NoaBot and the P2PInfect worm, This is a peer-to-peer, self-replicating worm written in Rust that targets Redis servers. What’s the point of this? Good question. I wish we had a good answer.

The Akamai security researchers speculate, “The threat actors seem quite tech-savvy, so it could…

Source…

Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

/in


A noticeable difference between NoaBot and Mirai is that rather than DDoS attacks, the botnet targets weak passwords connecting SSH connections to install cryptocurrency mining software.

Cybersecurity researchers at Akamai have discovered cryptomining malware called NoaBot based on the notorious Mirai botnet. The crytojacking malware NoaBot is currently targeting Linux servers and has been active since January 2023.

According to Akamai, a noticeable difference between NoaBot and Mirai is that rather than DDoS attacks (Distributed Denial of Service attacks), the malware targets weak passwords connecting SSH connections and installs cryptocurrency mining software, allowing attackers to generate digital coins using victims’ computing resources, electricity, and bandwidth.

Here, it is important to mention that NoaBot malware has also been used to deliver P2PInfect, a separate worm discovered by Palo Alto Networks in July 2023.

NoaBot is compiled using the UClibc code library, unlike the standard Mirai library. This changes how the antivirus protections detect NoaBot, categorizing it as an SSH scanner or generic trojan. The malware is statically compiled and stripped of symbols, while strings are obfuscated instead of saved as plaintext, making it harder for reverse engineers to extract details.

The NoaBot binary runs from a randomly generated folder, making searching devices harder. The standard Mirai dictionary is replaced with a large one, and a custom-made SSH scanner is used. Post-breach capabilities include installing a new SSH-authorized key.

This botnet has grown significantly, with over 800 unique IP addresses worldwide showing signs of NoaBot infections. The worm is a customized version of Mirai, a malware that infects Linux-based servers, routers, web cameras, and other Internet of Things devices.

Interestingly, the malware includes embedded song lyrics from the “Who’s Ready for Tomorrow” song by Rat Boy and IBDY, but later samples do not have these. The botnet also adds command line arguments, such as the “noa” flag, which installs a persistence method after a reboot.

Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer
Screenshot: Akamai
Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer
Screenshot: Akamai

Threat actors…

Source…