Ankura CTIX FLASH Update – June 14, 2022 – Security | #linux | #linuxsecurity




To print this article, all you need is to be registered or login on Mondaq.com.

Ransomware/Malware Activity

New Evasive Linux Rootkit Activated Using “Magic
Packets”

A new Linux rootkit dubbed “Syslogk” has been
discovered by Avast security researchers. It was first identified
due to its use of an old open-source rootkit known as
“Adore-Ng” targeting Linux 2.x and 3.x systems. Rootkit
malware is much more complicated to write compared to normal
malicious code, meaning that it is typically attributed to highly
experienced threat actor developers. Less-sophisticated threat
actors are forced to reuse code found in open-source repositories
such as GitHub to fill the gap caused by their lack of experience.
Syslogk was created before newer Linux versions and thus cannot be
run on up-to-date systems. The malware was also linked to the
“Rekoobe” malware family, is known for its ability to act
as a legitimate SMTP server. This allows the malware to hide as a
common, legitimate service that cannot be detected through a simple
port scan. Once a specifically crafted packet is received, the
Rekoobe backdoor payload starts, allowing full access to the victim
machine through a command-line interface. The malware author has
also implemented a remote shut-off that kills the backdoor to hide
itself on the network. The kill switch has multiple security
features that prevent unauthorized users from shutting down the
connection, such as a hardcoded key. Syslogk is early in its
development stages, and it is unclear whether it will be a
widespread threat or a more targeted malware strain. It’s
highly evasive nature likely means it will be developed in the
future, adding more features and potentially updating to target
newer distributions of Linux.

New Linux Malware Symbiote Targets Financial Sector in
Latin America

“Symbiote,” an emerging malware first detected in
November of 2021, has been observed by Blackberry and Intezer
researchers targeting Linux systems of financial organizations
across Latin America. The main goal of the malware is to
“capture credentials and to facilitate backdoor access to a
victim’s machine,” and the researchers detailed that
Symbiote “infects running processes rather than using a
standalone executable file to inflict damage.” Symbiote
leverages the Linux feature “LD_PRELOAD” (which has been
previously used by “Pro-Ocean” and “Facefish”)
in order to be loaded by the system’s dynamic linker into all
running processes, hiding its presence on the file system. The
malware also cloaks its network traffic by utilizing the
system’s extended Berkeley Packet Filter (eBPF) feature by
“injecting itself into an inspection software’s process
and using BPF to filter out results that would uncover its
activity.” Once this injection is complete, Symbiote enables
its rootkit functionality to further hide its existence in the
compromised system and create a backdoor for persistence as well as
privileged command execution by the operators. The malware was also
observed storing gained credentials in encrypted files disguised as
C header files. These abilities allow for a high level of stealth
and helped generate the tagline
“nearly-impossible-to-detect,” in which the researchers
emphasized that “performing live forensics on an infected
machine may not turn anything up since all the file, processes, and
network artifacts are hidden by the malware.” It is not
currently known whether this malware is being used in highly
targeted or large-scale attacks, but CTIX analysts will provide an
update if evidence is provided in the future. A further in-depth
analysis of Symbiote as well as indicators of compromise (IOCs) can
be viewed in BlackBerry’s report linked below.

Threat Actor Activity

Gallium Threat Actors Deploy New PingPull RAT on
Compromised Devices

Chinese nation state threat actors have been deploying a new
remote access trojan (RAT) on compromised target networks over the
past year. These espionage-driven threat actors are a part of
Gallium, a Chinese threat organization responsible for the
targeting of numerous high-profile entities throughout the
telecommunications, financial, and government organizations. Over
the past year, Gallium threat actors have been targeting
telecommunication entities throughout Australia, Vietnam,
Mozambique, Malaysia, Cambodia, Afghanistan, and more. Once
compromised, threat actors will unleash the “PingPull”
malware, which comes in several variants: ICMP, TCP, and HTTPS.
Each variant allows for threat actors to stealthily communicate to
compromised devices through these protocols and a malware program
disguised as a legitimate service, which prevents users from
terminating the program. Commands issued between actor-controlled
command-and-control (C2) nodes and the compromised device include
file listings, read/write/delete files, enumerating storage
volumes, and execute additional commands from the terminal.

Vulnerabilities

Microsoft Adds New Safeguards that Officially Mitigate the
“SynLapse” Azure Vulnerability

UPDATE to 5/10/2022 FLASH UPDATE: Microsoft
has added security patch improvements recommended by Orca Security
researchers to a critical command injection vulnerability
originally fixed in April 2022, dubbed “SynLapse.” This
flaw impacts the Azure cloud platform’s Data Factory and
Synapse Pipelines and, if exploited, could allow an attacker
running jobs in these environments to perform remote code execution
(RCE) across the shared Integration Runtime (IR). Successful
exploitation allows malicious attackers to pilfer sensitive data
like service certificates/keys, passwords, and API tokens, allowing
for a complete takeover of other tenants’ Synapse cloud
environments. The flaw, tracked as CVE-2022-29972, specifically
exists in the third-party Open Database Connectivity (ODBC) driver
utilized for establishing a connection with Azure Data Factory and
Azure Synapse Pipelines. Although this flaw was patched in April,
cybersecurity researchers were quickly able to repeatedly bypass
the security fixes, forcing Microsoft to urge customers to
implement a manual mitigation technique alongside the patch by
configuring a Managed Virtual Network isolating their workspaces
from the internet. At this time, Microsoft has incorporated two (2)
permanent safeguards which mitigate threat actor workarounds. The
first safeguard is placing the shared IRs within ephemeral
sandboxed VMs so that, even if an attacker successfully executes
code, it would never be shared between two (2) tenants and would
prevent the attacker from being able to access the sensitive data.
The second safeguard is to limit access to the internal management
server API by using scoped tokens, which would prevent threat
actors from using the certificate to elevate their privileges and,
in turn, prevent access to other tenants’ information. CTIX
analysts urge all Data Factory and Synapse users to update to the
latest stable version immediately.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

The SEC Ramps Up Efforts To Police Crypto Industry

Duane Morris LLP

As the crypto industry continues to grow and market volatility remains high, the Securities and Exchange Commission (SEC) has announced its plan to increase its regulation of the area.



Original Source link

Leave a Reply

Your email address will not be published.

+ seventy five = eighty three