CISA Warns of New Malware Exploiting Known Kernel Vulnerabilities
Last year, CISA created a list of vulnerabilities being actively exploited and a list of applications directly affected by those vulnerabilities. Over time, the list has been updated to reflect new and emerging threats.
Very recently, a new malware was discovered and CISA added two new vulnerabilities to that list, as they are being actively exploited by the malware to spread into new target systems.
The malware in question is called “Shikitega”, identified by AT&T’s Alien Labs in September. It targets systems running Linux, including IoT devices, and gains full system access by leveraging known exploits on the Linux kernel. So far, it has been used to deploy cryptocurrency miners to affected systems, but this type of malware is usually flexible enough to deploy different payloads to different targets (for example, ransomware instead of a cryptominer).
The two vulnerabilities are CVE-2021-4034 and CVE-2021-3493. Both were identified, as the identifier implies, in 2021, and both have patches available. The fact that there are still systems vulnerable to them speaks to how slow proper patching processes are in many organizations.
CVE-2021-4034, better known by the name PwnKit, made the rounds across a number of news sites, facilitated by the fact that its exploit was both reliable and relatively easy to trigger and how widely spread it was – as pkexec, its target, is present in most (all?) Linux systems. A more detailed description can be found in the TuxCare blog here.
The other vulnerability, CVE-2021-3493, is a bug in the overlayFS implementation, and was used in conjunction with PwnKit to obtain elevated privileges in the target systems.
By adding those vulnerabilities to the Known Exploited Vulnerabilities Catalog, CISA has provided a strict deadline to federal agencies by which they must fix those flaws in the systems they manage.
If you are still running systems not patched against these, and many other, Linux kernel vulnerabilities, you should consider a different approach to your patch management operations and consider a disruption-free alternative to traditional patching by using KernelCare’s Live Patching service. Vulnerabilities are patched quickly by KernelCare, providing the protection necessary to guard against Shikitega and other threats that could exploit them.