linux exploits Archives - TuxCare

New Ransomware hits Chile’s Windows and Linux servers

A ransomware attack that began on Thursday, August 25, involved Windows and Linux systems operated by the Chilean government agency, and the incident was verified by the Chilean computer security and incident response team (CSIRT).

According to Chile CSIRT, the hackers stopped all running virtual machines and encrypted their files while adding the “.crypt” filename extension. The authority explained that the malware has functions for various types of malicious activity, including stealing credentials from web browsers, the list of detachable devices for encryption, and evading antivirus detection by means of execution timeouts.

The ransomware attack is a double extortion attack. The attackers provided the Chilean CSIRT with a communication channel through which they could negotiate the payment of a ransom. This will help prevent the attackers from leaking the files and unlock the encrypted data.

The attackers set a deadline of three days and threatened to sell the stolen data to other cybercriminals on the dark web. While the Chilean CSIRT did not name the group behind the attack, the extension attached to the encrypted files indicated, however, that the malware pointed to ‘RedAlert’ ransomware. RedAlert ransomware used the ‘.encrpt’ extension in attacks that targeted both Windows servers and Linux-VMWare ESXi machines.

In his analysis of the malware, Chilean threat analyst Germán Fernández stated that the strain appears to be entirely new and that the researchers with whom he analyzed the malware could not link it to known families.

“One particular thing about the attack, is that the threat actors distributed the ransom note at a previous stage to the deployment of the ransomware as the final payload, possibly for evasion issues or to avoid having their contact details leaked when sharing the final sample,” Fernández said.

To protect against further attacks, Chile’s cybersecurity organization recommends a number of security measures to all government agencies and large private organizations. These include using a properly configured firewall and antivirus tool, updating VMware and Microsoft assets, securing key data, verifying the configuration of anti-spam filters, implementing network segmentation, and patching and mitigating new vulnerabilities.

The sources for this piece include an article in BleepingComputer.

Cyberattacks Targeting Linux Users Skyrockets

Cybersecurity researchers at Trend Micro have identified a 75% leap year-over-year in the number of ransomware attacks targeting Linux users.

Apart from ransomware groups, there is also a 145% increase in Linux-based cryptocurrency-mining malware attacks. In this case, the attackers secretly exploit the power of infected computers and servers to mine for cryptocurrency for themselves.

Hackers are generally motivated to target industries where they know there is a high possibility of making money. Therefore, encrypting Linux systems could be lucrative judging by how fast attacks targeting Linux servers are increasing.

One of the identified strategies used by cyberattacks to compromise Linux systems is by exploiting unpatched vulnerabilities. The report identified one of the flaws known as Dirty Pipe.

Dirty Pipe is tracked as CVE-2022-0847 and it affects the Linux kernel from version 5.8 and up which attackers can use to escalate their privileges and run code.

To protect systems from cyberattacks, researchers recommend that all security patches be applied as soon as possible. This will prevent attackers from taking advantage of publicly available exploits.

It is also important that organizations apply multi-factor authentication across the ecosystem. MFA will provide an additional layer of defense and prevent ransomware hackers from conducting lateral movement across the network.

“New and emerging threat groups continue to evolve their business model, focusing their attacks with even greater precision. That’s why it’s essential that organizations get better at mapping, understanding, and protecting their expanding digital attack surface,” said Jon Clay, VP of threat intelligence for Trend Micro.

The sources for this piece include an article in ZDNet.

Linux Malware Reach All-Time High In 2022

Although Linux is the most private and secure operating system, according to AtlasVPN, it has seen an increase in malware samples.

The results showed that Linux malware grew exponentially in the first half of 2022, reaching an all-time high after 1.7 million samples were discovered by researchers.

While most malware sampling took place in the first half of 2022, malware samples recorded in the first half of 2022 between January and June 2022 increased by almost 650% from 226,324 to nearly 1.7 million. The trend however continued, albeit at a reduced pace.

The increase in malware samples targeting Linux remains surprising, and it underscores a new trend of attackers focus on Linux. Although a short decline has been recorded, it remains unclear whether more malware samples will target Linux or whether the decline in malware samples will continue.

Researchers found that April had the highest number of malware samples registered, with 400,931. The report found that the huge increase in malware samples follows a massive decline that was already recorded between the fourth quarter of 2021 and the first quarter of 2022.

At one point, a 2% decline was recorded, but the decline did not last long.

According to AtlasVPN, the “cumulative number of new Linux malware samples in H1 2022 was 31% higher than the number of such samples in the whole of 2022.”

However, despite the massive increase in Linux malware samples, Windows takes the lead as the most malware-infected operating system. AtlasVPN acknowledged Windows position stating that “41.4 million newly programmed Windows malware samples were identified in H1 2022.”

Linux remains a secure operating system for developers and other users. The operating systems provide various security features, including an open source framework, user privilege model, and built-in kernel security defenses.

The sources for this piece include an article in MUO.

241 Npm and PyPI Packages Drops Linux Cryptominers

Researchers be have uncovered at least 241 malicious Npm and PyPI packages that drop cryptominers after infecting Linux machines.

These malicious packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers.

Lübbers discovered “at least 33 projects” on PyPI that launched XMRig, an open source Monero cryptominer after infecting a system.
While trying to report the processes for the 33 projects to PyPI, the researcher uncovered another 22 packages with the same malicious payload published by the threat actor.

“After I reported them to PyPI, they were quickly deleted – but the malicious actor was still in the process of uploading more packages, and uploaded another 22. The packages targeted Linux systems and installed crypto mining software XMRig,” explain Lübbers.

According to tbe researcher, the python packages contain codes that downloads the BASH script from the threat actor’s sever via Bit.ly URL shortener. The shortened link then redirects to the script hosted on 80.78.25[.]140:8000.

After it is executed, the script notifies the threat actor of the IP address of the compromised host and if the deployment of cryptominers succeed.

“I found these packages through a little side project of mine, which I call the Package Observatory Club. It queries and stores metadata about all new packages uploaded to PyPI and RubyGems.org and runs some heuristics. If it looks suspicious enough it alerts me and I take a look,” the researcher further clarified.

NPM also known as Node Package Manager is an online repository for the publishing of open-source Node.js projects. It is also a command-line utility for interacting with said repository that aids in package installation, version management, and dependency management.

Admins are advised to take security measures to protect their servers from these attacks.

The sources for this piece include an article in BleepingComputerBleepingComputer.

New Linux exploit “Dirty Cred” revealed

Zhenpeng Lin, a PhD student, and other researchers have uncovered a new Linux Kernel exploitation called Dirty Cred. The flaw tracked as CVE-2022-2588 was unveiled at Black Hat security conference last week.

Dirty Cred is a use-after-free bug in route4_change in the net/sched/cls_route.c filter implementation found the Linux kernel. This bug allows a local privileged attacker to crash the system resulting in a local privileged escalation problem.

In order to detect the exploit, Lin worked on an alternative approach to a preciously discovered “Dirty Pipe” vulnerability that was targeted at Linux kernel version 8 and later.

Lin’s team was able to uncover a way to exchange Linux kernel data on systems that are vulnerable to Dirty Pipe and the new Dirty Cred.

The researchers’ generic approach can be applied to containers as opposed to Dirty Pipe and Android, ultimately “enabling various bugs to be Dirty Pipe-like.”

The approach to exploit the vulnerability can be used to elevate a low privileged user on two different systems such as Centos 8 and Ubuntu with similar exploit code.

Since privileged credentials are not isolated from non-privileged credentials, an attacker may attempt to exchange them. In the case of Dirty Cred, data can be modified to ensure privilege escalation by releasing an in-use unprivileged credentials to allocate privileged space in the freed memory slot. This enable attackers operate as a privileged user.

To protect systems from Dirty Cred attacks, researchers recommend isolating privileged credentials from unprivileged credentials and using virtual memory to prevent cross-cache attacks. Also, a patch is already available on GitHub and consist of isolating task cred using vmalloc.

The sources for this piece include an article in esecuritypanel.

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching