#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Linux security | Breaking Cybersecurity News | The Hacker News

Ubuntu 'command-not-found' Tool Could Trick Users into Installing Rogue Packages

Ubuntu 'command-not-found' Tool Could Trick Users into Installing Rogue Packages

Feb 14, 2024 Software Security / Vulnerability
Cybersecurity researchers have found that it's possible for threat actors to exploit a well-known utility called command-not-found to recommend their own rogue packages and compromise systems running Ubuntu operating system. "While 'command-not-found' serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages," cloud security firm Aqua said in a report shared with The Hacker News. Installed by default on Ubuntu systems, command-not-found  suggests  packages to install in interactive bash sessions when attempting to run commands that are not available. The suggestions include both the Advanced Packaging Tool ( APT ) and  snap packages . While the tool uses an internal database ("/var/lib/command-not-found/commands.db") to suggest APT packages, it relies on the " advise-snap " comman
Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign

Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign

Feb 01, 2024 Cryptojacking / Linux Security
Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called  Commando Cat . "The campaign deploys a benign container generated using the  Commando project ," Cado security researchers Nate Bill and Matt Muir  said  in a new report published today. "The attacker  escapes this container  and runs multiple payloads on the Docker host." The campaign is believed to have been active since the start of 2024, making it the second such campaign to be discovered in as many months. In mid-January, the cloud security firm also shed light on  another activity cluster  that targets vulnerable Docker hosts to deploy XMRig cryptocurrency miner as well as the 9Hits Viewer software. Commando Cat employs Docker as an initial access vector to deliver a collection of interdependent payloads from an actor-controlled server that is responsible for registering persistence, backdooring the host, exfiltrating cloud service provider
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
Benchmarking Linux Security – Latest Research Findings

Benchmarking Linux Security – Latest Research Findings

Apr 18, 2022
How well do your Linux security practices stack up in today's challenging operating environment? Are you following the correct processes to keep systems up-to-date and protected against the latest threats? Now you can find out thanks to research independently conducted by the Ponemon Institute. The research sponsored by  TuxCare  sought to understand better how organizations are currently managing the security and stability of their Linux-based systems. The results allow all organizations operating Linux-based systems to benchmark their processes against their peers and best practices. You can get a copy of the complete report  HERE  if you can't wait to see the findings, but we've highlighted the key takeaways below if you'd like a preview. Research Goals  Understanding the current State of Enterprise Linux Security Management has never been more imperative. The number of high and critical vulnerabilities continues to grow each year significantly, and exploits aga
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Capital One Fined $80 Million for 2019 Data Breach Affecting 106 Million Users

Capital One Fined $80 Million for 2019 Data Breach Affecting 106 Million Users

Aug 07, 2020
A United States regulator has fined the credit card provider Capital One Financial Corp with $80 million over last year's data breach that exposed the personal information of more than 100 million credit card applicants of Americans. The fine was imposed by the Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury that governs the execution of laws relating to national banks. According to a press release published by the OCC on Thursday, Capital One failed to establish appropriate risk management before migrating its IT operations to a public cloud-based service, which included appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts. The OCC also said that the credit card provider also left numerous weaknesses in its cloud-based data storage in an internal audit in 2015 as well as failed to patch security
Critical OpenSMTPD Bug Opens Linux and OpenBSD Mail Servers to Hackers

Critical OpenSMTPD Bug Opens Linux and OpenBSD Mail Servers to Hackers

Jan 30, 2020
Cybersecurity researchers have discovered a new critical vulnerability ( CVE-2020-7247 ) in the OpenSMTPD email server that could allow remote attackers to take complete control over BSD and many Linux based servers. OpenSMTPD is an open-source implementation of the server-side SMTP protocol that was initially developed as part of the OpenBSD project but now comes pre-installed on many UNIX-based systems. According to Qualys Research Labs, who discovered this vulnerability, the issue resides in the OpenSMTPD's sender address validation function, called smtp_mailaddr(), which can be exploited to execute arbitrary shell commands with elevated root privileges on a vulnerable server just by sending specially crafted SMTP messages to it. The flaw affects OpenBSD version 6.6 and works against the default configuration for both, the locally enabled interface as well as remotely if the daemon has been enabled to listen on all interfaces and accepts external mail. "Exploit
Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted

Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted

Oct 14, 2019
Attention Linux Users! A new vulnerability has been discovered in Sudo —one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system. The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the "sudoers configuration" explicitly disallows the root access. Sudo, stands for "superuser do," is a system command that allows a user to run applications or commands with the privileges of a different user without switching environments—most often, for running commands as the root user. By default on most Linux distributions, the ALL keyword in RunAs specification in /etc/sudoers file, as shown in the screenshot, allows all users in the admin or sudo groups to run any command as any valid user on the system. However, since privilege separ
Hackers Planted Backdoor in Webmin, Popular Utility for Linux/Unix Servers

Hackers Planted Backdoor in Webmin, Popular Utility for Linux/Unix Servers

Aug 20, 2019
Following the public disclosure of a critical zero-day vulnerability in Webmin last week, the project's maintainers today revealed that the flaw was not actually the result of a coding mistake made by the programmers. Instead, it was secretly planted by an unknown hacker who successfully managed to inject a backdoor at some point in its build infrastructure—that surprisingly persisted into various releases of Webmin (1.882 through 1.921) and eventually remained hidden for over a year. With over 3 million downloads per year, Webmin is one of the world's most popular open-source web-based applications for managing Unix-based systems, such as Linux, FreeBSD, or OpenBSD servers. Webmin offers a simple user interface (UI) to manage users and groups, databases, BIND, Apache, Postfix, Sendmail, QMail, backups, firewalls, monitoring and alerts, and much more. The story started when Turkish researcher Özkan Mustafa Akkuş publicly presented a zero-day remote code execution vul
Patches for 2 Severe LibreOffice Flaws Bypassed — Update to Patch Again

Patches for 2 Severe LibreOffice Flaws Bypassed — Update to Patch Again

Aug 16, 2019
If you are using LibreOffice, you need to update it once again. LibreOffice has released the latest version 6.2.6/6.3.0 of its open-source office software to address three new vulnerabilities that could allow attackers to bypass patches for two previously addressed vulnerabilities. LibreOffice is one of the most popular and open source alternatives to Microsoft Office suite and is available for Windows, Linux and macOS systems. One of the two vulnerabilities, tracked as CVE-2019-9848 , that LibreOffice attempted to patch just last month was a code execution flaw that affected LibreLogo, a programmable turtle vector graphics script that ships by default with LibreOffice. This flaw allows an attacker to craft a malicious document that can silently execute arbitrary python commands without displaying any warning to a targeted user. Apparently, the patch for this vulnerability was insufficient, as The Hacker News also reported late last month , which allowed two separate secu
KDE Linux Desktops Could Get Hacked Without Even Opening Malicious Files

KDE Linux Desktops Could Get Hacked Without Even Opening Malicious Files

Aug 07, 2019
If you are running a KDE desktop environment on your Linux operating system, you need to be extra careful and avoid downloading any ".desktop" or ".directory" file for a while. A cybersecurity researcher has disclosed an unpatched zero-day vulnerability in the KDE software framework that could allow maliciously crafted .desktop and .directory files to silently run arbitrary code on a user's computer—without even requiring the victim to actually open it. KDE Plasma is one of the most popular open-source widget-based desktop environment for Linux users and comes as a default desktop environment on many Linux distributions, such as Manjaro, openSUSE, Kubuntu, and PCLinuxOS. Security researcher Dominik Penner who discovered the vulnerability contacted The Hacker News, informing that there's a command injection vulnerability in KDE 4/5 Plasma desktop due to the way KDE handles .desktop and .directory files. "When a .desktop or .directory file is
Your Linux Can Get Hacked Just by Opening a File in Vim or Neovim Editor

Your Linux Can Get Hacked Just by Opening a File in Vim or Neovim Editor

Jun 10, 2019
Linux users, beware! If you haven't recently updated your Linux operating system, especially the command-line text editor utility, do not even try to view the content of a file using Vim or Neovim. Security researcher Armin Razmjou recently discovered a high-severity arbitrary OS command execution vulnerability (CVE-2019-12735) in Vim and Neovim —two most popular and powerful command-line text editing applications that come pre-installed with most Linux-based operating systems. On Linux systems, Vim editor allows users to create, view or edit any file, including text, programming scripts, and documents. Since Neovim is just an extended forked version of Vim, with better user experience, plugins and GUIs, the code execution vulnerability also resides in it. Code Execution Flaw in Vim and Neovim Razmjou discovered a flaw in the way Vim editor handles "modelines," a feature that's enabled-by-default to automatically find and apply a set of custom pref
Libssh Releases Update to Patch 9 New Security Vulnerabilities

Libssh Releases Update to Patch 9 New Security Vulnerabilities

Mar 19, 2019
Libssh2, a popular open source client-side C library implementing the SSHv2 protocol, has released the latest version of its software to patch a total of nine security vulnerabilities. The Libssh2 library is available for all major distributors of the Linux operating systems, including Ubuntu, Red Hat, Debian, and also comes bundled within some distributions and software as a default library. According to an  advisory published Monday, all the below listed vulnerabilities that were patched with the release of libssh2 version 1.8.1 lead to memory corruption issues which could result in arbitrary code execution on a client system in certain circumstances. Here's the list of security vulnerabilities patched in Libssh: 1. CVE-2019-3855: Possible integer overflow in transport read that could lead to an out-of-bounds write. A malicious server, or a remote attacker who compromises an SSH server, could send a specially crafted packet which could result in executing malicious
New Systemd Privilege Escalation Flaws Affect Most Linux Distributions

New Systemd Privilege Escalation Flaws Affect Most Linux Distributions

Jan 10, 2019
Security researchers have discovered three vulnerabilities in Systemd, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems. The vulnerabilities, assigned as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, actually resides in the "systemd-journald" service that collects information from different sources and creates event logs by logging information in the journal. The vulnerabilities, which were discovered and reported by security researchers at Qualys, affect all systemd-based Linux distributions, including Redhat and Debian , according to the researchers. However, some Linux distros such as SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not affected, as "their userspace [code] is compiled with GCC's -fstack-clash-protection ." The first two flaws are memory corruptions issues, while the
LibSSH Flaw Allows Hackers to Take Over Servers Without Password

LibSSH Flaw Allows Hackers to Take Over Servers Without Password

Oct 17, 2018
A four-year-old severe vulnerability has been discovered in the Secure Shell (SSH) implementation library known as Libssh that could allow anyone to completely bypass authentication and gain unfettered administrative control over a vulnerable server without requiring a password. The security vulnerability, tracked as CVE-2018-10933 , is an authentication-bypass issue that was introduced in Libssh version 0.6 released earlier 2014, leaving thousands of enterprise servers open to hackers for the last four years. But before you get frightened, you should know that neither the widely used OpenSSH nor Github's implementation of libssh was affected by the vulnerability. The vulnerability resides due to a coding error in Libssh and is "ridiculously simple" to exploit. According to a security advisory published Tuesday, all an attacker needs to do is sending an "SSH2_MSG_USERAUTH_SUCCESS" message to a server with an SSH connection enabled when it expects an &
Malicious Software Packages Found On Arch Linux User Repository

Malicious Software Packages Found On Arch Linux User Repository

Jul 11, 2018
Yet another incident which showcases that you should not explicitly trust user-controlled software repositories. One of the most popular Linux distros Arch Linux has pulled as many as three user-maintained software repository AUR packages after it was found hosting malicious code. Arch Linux is an independently developed, general-purpose GNU/Linux distribution composed predominantly of free and open-source software, and supports community involvement. Besides official repositories like Arch Build System (ABS), Arch Linux users can also download software packages from several other repositories, including AUR (Arch User Repository), a community-driven repository created and managed by Arch Linux users. Since AUR packages are user-produced content, Arch maintainers always suggest Linux users to carefully check all files, especially PKGBUILD and any .install file for malicious commands. However, this AUR repository has recently been found hosting malware code in several inst
SUSE Linux Has Been Sold For $2.5 Billion

SUSE Linux Has Been Sold For $2.5 Billion

Jul 03, 2018
SUSE, the open source software company owned by British firm Micro Focus International, has been sold to a Swedish private equity firm. Yes, SUSE Linux and its associated software business has finally been acquired by EQT Partners for $2.535 billion, lifting its shares 6 percent. SUSE is one of the oldest open source companies and perhaps the first to provide enterprise-grade Linux software service to banks, universities and government agencies around the world. Since its foundation in 1992, SUSE has changed ownership multiple times. US-based software company Novell acquired SUSE for $120 million in November 2003 to compete with Microsoft in the operating system market. However, things did not work as the company thought and Novell in turn itself was acquired by another US-based company The Attachmate Group for $2.2 billion in 2011. Three years later, Micro Focus International acquired Attachmate for $2.35 billion in 2014. Since then SUSE Linux has been part of Micro Focus
7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

May 25, 2017
A 7-year-old critical remote code execution vulnerability has been discovered in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines. Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS. Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system. The newly discovered remote code execution vulnerability ( CVE-2017-7494 ) affects all versions newer than Samba 3.5.0 that was released on March 1, 2010. "All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it," Samba wrote in an advisory published Wed
Hacker Who Used Linux Botnet to Send Millions of Spam Emails Pleads Guilty

Hacker Who Used Linux Botnet to Send Millions of Spam Emails Pleads Guilty

Mar 29, 2017
A Russian man accused of infecting tens of thousands of computer servers worldwide to generate millions in illicit profit has finally entered a guilty plea in the United States and is going to face sentencing in August. Maxim Senakh, 41, of Velikii Novgorod, Russia, pleaded guilty in a US federal court on Tuesday for his role in the development and maintenance of the infamous Linux botnet known as Ebury that siphoned millions of dollars from victims worldwide. Senakh, who was detained by Finland in August 2015 and extradition to the US in January 2016, admitted to installing Ebury malware on computer servers worldwide, including thousands in the United States. First spotted in 2011, Ebury is an SSH backdoor Trojan for Linux and Unix-style operating systems, like FreeBSD or Solaris, which infected more than 500,000 computers and 25,000 dedicated servers in a worldwide malware campaign called ' Operation Windigo .' Ebury backdoor gives attackers full shell control of
New Trojan Turns Thousands Of Linux Devices Into Proxy Servers

New Trojan Turns Thousands Of Linux Devices Into Proxy Servers

Jan 25, 2017
" Linux doesn't get viruses " — It's a Myth. A new Trojan has been discovered in the wild that turns Linux-based devices into proxy servers, which attackers use to protect their identity while launching cyber attacks from the hijacked systems. Dubbed Linux.Proxy.10 , the Trojan was first spotted at the end of last year by the researchers from Russian security firm Doctor Web, who later identified thousand of compromised machines by the end of January this year and the campaign is still ongoing and hunting for more Linux machines. According to researchers, the malware itself doesn't include any exploitation module to hack into Linux machines; instead, the attackers are using other Trojans and techniques to compromise devices at the first place and then create a new backdoor login account using the username as " mother " and password as " fucker ." Once backdoored and the attacker gets the list of all successfully compromised Linux ma
Ubuntu’s Crash Report Tool Allows Remote Code Execution

Ubuntu's Crash Report Tool Allows Remote Code Execution

Dec 16, 2016
No software is immune to being Hacked! Not even Linux. A security researcher has discovered a critical vulnerability in Ubuntu Linux operating system that would allow an attacker to remotely compromise a target computer using a malicious file. The vulnerability affects all default Ubuntu Linux installations versions 12.10 (Quantal) and later. Researcher Donncha O'Cearbhaill discovered the security bug which actually resides in the Apport crash reporting tool on Ubuntu. A successful exploit of this CrashDB code injection issue could allow an attacker to remotely execute arbitrary code on victim's machine. All an attacker needs is to trick the Ubuntu user into opening a maliciously booby-trapped crash file. This would inject malicious code in Ubuntu OS's crash file handler, which when parsed, executes arbitrary Python code. "The code first checks if the CrashDB field starts with { indicating the start of a Python dictionary," O'Cearbhaill explain
Cybersecurity Resources