August 2022 - TuxCare

Linux Malware Reach All-Time High In 2022

Although Linux is the most private and secure operating system, according to AtlasVPN, it has seen an increase in malware samples.

The results showed that Linux malware grew exponentially in the first half of 2022, reaching an all-time high after 1.7 million samples were discovered by researchers.

While most malware sampling took place in the first half of 2022, malware samples recorded in the first half of 2022 between January and June 2022 increased by almost 650% from 226,324 to nearly 1.7 million. The trend however continued, albeit at a reduced pace.

The increase in malware samples targeting Linux remains surprising, and it underscores a new trend of attackers focus on Linux. Although a short decline has been recorded, it remains unclear whether more malware samples will target Linux or whether the decline in malware samples will continue.

Researchers found that April had the highest number of malware samples registered, with 400,931. The report found that the huge increase in malware samples follows a massive decline that was already recorded between the fourth quarter of 2021 and the first quarter of 2022.

At one point, a 2% decline was recorded, but the decline did not last long.

According to AtlasVPN, the “cumulative number of new Linux malware samples in H1 2022 was 31% higher than the number of such samples in the whole of 2022.”

However, despite the massive increase in Linux malware samples, Windows takes the lead as the most malware-infected operating system. AtlasVPN acknowledged Windows position stating that “41.4 million newly programmed Windows malware samples were identified in H1 2022.”

Linux remains a secure operating system for developers and other users. The operating systems provide various security features, including an open source framework, user privilege model, and built-in kernel security defenses.

The sources for this piece include an article in MUO.

241 Npm and PyPI Packages Drops Linux Cryptominers

Researchers be have uncovered at least 241 malicious Npm and PyPI packages that drop cryptominers after infecting Linux machines.

These malicious packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers.

Lübbers discovered “at least 33 projects” on PyPI that launched XMRig, an open source Monero cryptominer after infecting a system.
While trying to report the processes for the 33 projects to PyPI, the researcher uncovered another 22 packages with the same malicious payload published by the threat actor.

“After I reported them to PyPI, they were quickly deleted – but the malicious actor was still in the process of uploading more packages, and uploaded another 22. The packages targeted Linux systems and installed crypto mining software XMRig,” explain Lübbers.

According to tbe researcher, the python packages contain codes that downloads the BASH script from the threat actor’s sever via URL shortener. The shortened link then redirects to the script hosted on 80.78.25[.]140:8000.

After it is executed, the script notifies the threat actor of the IP address of the compromised host and if the deployment of cryptominers succeed.

“I found these packages through a little side project of mine, which I call the Package Observatory Club. It queries and stores metadata about all new packages uploaded to PyPI and and runs some heuristics. If it looks suspicious enough it alerts me and I take a look,” the researcher further clarified.

NPM also known as Node Package Manager is an online repository for the publishing of open-source Node.js projects. It is also a command-line utility for interacting with said repository that aids in package installation, version management, and dependency management.

Admins are advised to take security measures to protect their servers from these attacks.

The sources for this piece include an article in BleepingComputerBleepingComputer.

New Linux 5.19 Kernel Offers Major Apple Silicon Support Upgrade

Linux Torvalds, the main developer of the Linux kernel used by the Linux distribution and other operating systems such as Android, has revealed the latest Linux 5.19, which offers several delicious features.

Torvalds announced the new Linux update using an Apple silicon-powered MacBook Air laptop running Asahi Linux.

In his message announcing the update, Torvalds explained that it was his third time using a Mac, the first being a PoweredPC-based device and later an earlier MacBook Air.

Apple Silicon is the company’s custom-made processor chips in its Macbook laptops. Apple’s silicon chips are ARM-based, meaning they use a different chip architecture than the chip provided by the company’s former supplier, Intel.

Apple first launched its silicon chips with the MacBook Air at the end of 2020 and the MacBook Pro with the name M1 chips. Subsequently, the company introduced Apple Silicon chips in almost all other Macs. Upgrades for the silicon chips were released with the M1 Pro, Max, Ultra and M2 chips, among others.

In addition to compatibility with Apple Silicon, the processor chip in Apple’s latest products, Linux 5.19 also offers other unique features. These include support for AMD’s Secure Nested Paging feature, a new user-space API for managing MultiPath TCP (MPTCP) flows, initial support for Loongson’s “LoongArch” RISC ISA CPU architecture, and support for the ARM Scalable Matrix Extension (SME).

It also supports page-based memory types in supervisor mode and the ability to run 32-bit binaries on 64-bit systems for RISC-V architectures. It also supports SMP coprocessors, KCSAN, and hibernation on the Xtensa architecture.

There is a new Intel “in-field scan” mechanism for detecting problems in Intel CPUs running Linux 5.19. It also supports storing billions of advanced attributes with any inode. A new “logged attribute replay” feature allows multiple extended files that are attributed to be modified in an atomic manner in the XFS file system at the same time.

The sources for this piece include an article in MUO.

Researchers Share Roadmap for Strengthening Linux Defenses

BlackBerry threat researchers have shared common tactics and strategies to better protect Linux systems from cyberattacks. To create a viable way to security, researchers investigated three ransomware families Symbiote, Orbit, and Red Alert ransomware.

According to the researchers, the most important tactics to focus on are MITRE TA0005 (defense) invasion and TA0007 (discovery). The above tactic represents events early in the attack chain and if it is detected in time, defenders can help to mitigate activities such as access permissions, lateral movement or lateral movement. It also helps to mitigate an attack before a ransomware payload is launched.

Tactics, techniques and procedures (TTPs) used by attackers to bypass detection use tools such as cURL and Wget, which are used to pull files, proxy scripts, especially SOCKS5 proxies, reverse or otherwise, and toolkits.

The researchers pointed out that attackers are now targeting virtual environments VMs in the private cloud. Attackers are targeting the hypervisors to compromise the entire VM infrastructure instead of encrypting the file on a single virtual machine.

They found that two of the largest ransomware families (LockBit and BlackBasta) now have ESXi-specific variants as well as Linux variants for encryption.

Countermeasures to protect against these attacks include preparing for a possible attack and conducting Purple Team tests to emulate threat actors, determine effectiveness and assess gaps.

Other tips include avoiding the use of generic playbooks to protect against ransomware; evaluating recovery plans and posture, early and often; the application of a zero-trust approach to network and data access; the reduction of the attack surface and the application of a policy with the least privileges, as well as the timely application of patches.

The sources for this piece include an article in BlackBerry.

Malicious PyPI package installs Crytominer on Linux Systems

A malicious PyPI package identified as secretslib is used by Monero cryptominer on Linux systems. The malicious package activity was uncovered by security researchers at Sonatype.

Although secretslib describes itself as “secrets matching and verification made easy,” careful research by researchers shows that the package is embedded with the ability to run cryptominers on users’ Linux machines directly from their RAM.

After the installation, secretslib downloads a file called tox and gives it permission to execute, and run at an elevated level. As soon as it runs, the files are deleted. According to researchers, the malicious code dropped by tox is a cryptominer that mines the privacy coin Monero.

Researchers explained that “tox” is an executable Linux file, an ELF binary that is stripped. Stripping an executable file means removing debugging information contained in it that would otherwise help a reverse engineer understand what the program does.

“The package covertly runs cryptominers on your Linux machine in memory (directly from your RAM), a technique largely employed by fileless malware and crypters. The package covertly runs cryptominers on your Linux machine in memory (directly from your RAM), a technique largely employed by fileless malware and crypters,” Sonatype researcher Ax Sharma said in a report.

While the package claims to help synchronize and verify secrets, researchers have been unable to identify any code that would help a developer “synchronize” or verify secrets of any kind.

The sources for this piece include an article in DEVELOPER.

Luckymouse Takes aim at Windows, Linux Systems via Mimi Chat App

According to an advisory published by Trend Micro, the Luckymouse threat actor is said to have compromised the cross-platform messaging app MiMi to install backdoors on Windows, macOS and Linux.

Trend Micro explained that the attacker, who also identifies as Emissary Panda, APT27 and Bronze Union, modifies installer files and uses the armed version of the chat platform MiMi to install remote access trojan samples.

After modifying installer files, Luckymouse would download the weaponized version of MiMi and install remote access trojan (RAT) HyperBro samples for the Windows operating system and a Mach-O binary called “rshell” for Linux and macOS.

“While this was not the first time the technique was used, this latest development shows Iron Tiger’s interest in compromising victims using the three major platforms: Windows, Linux and macOS. While we were unable to identify all the targets, these targeting demographics demonstrate a geographical region of interest. Among those targets, we could only identify one of them, a Taiwanese gaming development company,” Trend Micro Advisory states.

In a separate advisory published by the security firm SEKOIA, the Luckymouse MiMi attack was attributed to Chinese actors.

“As this application’s use in China appears low, it is plausible it was developed as a targeted surveillance tool. It is also likely that, following social engineering carried out by the operator’s, targeted users are encouraged to download this application, purportedly to circumvent Chinese authorities’ censorship,” SEKOIA explained in its advisory.

The sources for this piece include an article in OODALOOP.

New Linux exploit “Dirty Cred” revealed

Zhenpeng Lin, a PhD student, and other researchers have uncovered a new Linux Kernel exploitation called Dirty Cred. The flaw tracked as CVE-2022-2588 was unveiled at Black Hat security conference last week.

Dirty Cred is a use-after-free bug in route4_change in the net/sched/cls_route.c filter implementation found the Linux kernel. This bug allows a local privileged attacker to crash the system resulting in a local privileged escalation problem.

In order to detect the exploit, Lin worked on an alternative approach to a preciously discovered “Dirty Pipe” vulnerability that was targeted at Linux kernel version 8 and later.

Lin’s team was able to uncover a way to exchange Linux kernel data on systems that are vulnerable to Dirty Pipe and the new Dirty Cred.

The researchers’ generic approach can be applied to containers as opposed to Dirty Pipe and Android, ultimately “enabling various bugs to be Dirty Pipe-like.”

The approach to exploit the vulnerability can be used to elevate a low privileged user on two different systems such as Centos 8 and Ubuntu with similar exploit code.

Since privileged credentials are not isolated from non-privileged credentials, an attacker may attempt to exchange them. In the case of Dirty Cred, data can be modified to ensure privilege escalation by releasing an in-use unprivileged credentials to allocate privileged space in the freed memory slot. This enable attackers operate as a privileged user.

To protect systems from Dirty Cred attacks, researchers recommend isolating privileged credentials from unprivileged credentials and using virtual memory to prevent cross-cache attacks. Also, a patch is already available on GitHub and consist of isolating task cred using vmalloc.

The sources for this piece include an article in esecuritypanel.

VPN On Linux: Pros And Cons of Using VPN on Linux

Linux is an operating system just like Windows, iOS and MacOS. Android is powered by Linux OS. Operating system is basically software that controls the communication between a software and a hardware.

A VPN (virtual private network) is a privacy tool that provides users with online privacy and anonymity. To achieve this goal, a VPN creates a private network from a public internet connection.

In order to provide users with the necessary privacy, VPNs mask users internet protocol (IP) address so that their online actions are virtually undetectable. VPNs are therefore capable of establishing secure and encrypted connections that offer users more privacy than even a secure Wi-Fi hotspot.

Using VPN under Linux can be a very good initiative, which also has its weaknesses.

Some benefits of using VPN on Linux include privacy, security, unblocking websites, torrenting and eliminating bandwidth throttling.

For privacy, a VPN can help keep users anonymous, as it has the ability to disguise their IP address and encrypt their connection.

Now that users are anonymous, their security is better ensured, and since they will receive a new IP address every time they go online, it will be difficult to track users, and this could also help to reduce doxing- and DDoS-attacks.

With VPN, users can access websites that are restricted to them due to location and other factors.

Due to its torrenting capabilities, VPNs can keep Linux users private when downloading OS ISO files over P2P networks.

With VPN, users can download files that are restricted by their Internet Service Providers (ISPs). This is possible because a VPN disguises the traffic of users, making it impossible to restrict their access.

There are several disadvantages of using VPN on Linux, some of which involve a delay in connection speed, can sometimes not guarantee security and privacy, the ability to be tracked, and are ultimately difficult to configure.

VPN can delay connection speed and this could be caused by several factors such as location, server availability and internet connection speed.

Users may not get the security and privacy they want when using a VPN, especially those that are offered for free. Paid VPNs offer stronger encryption and security, but do not guarantee maximum security and privacy.

On website tracking, VPN users can be tracked when they visit websites that require the use of cookies or the provision of information because these websites use their real public IP address.

Using VPN on Linux is fraught with configuration difficulties, users may be forced to configure the VPN themselves, and since it is critical that they configure it correctly, a lot of time and formality may be required.

The sources for this piece include an article in LinuxSecurity.

PHP Extended Lifecycle Support and cPanel integration

PHP is used to power a vast number of websites on the Internet, some of which will be hosted side-by-side on the same system. When using cPanel to manage those websites, the PHP Extended Lifecycle Support offering will be tightly integrated into cPanel’s PHP Selector, allowing for easier configuration on a site-by-site basis.


Continue reading “PHP Extended Lifecycle Support and cPanel integration”

PHP Extended Lifecycle Support: A deeper look

PHP Extended Lifecycle Support provides security updates and versions if you’re interested in maintaining compatibility with existing PHP code while remaining secure against the latest language-level vulnerabilities.


Continue reading “PHP Extended Lifecycle Support: A deeper look”


State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching