The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: linux

FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities

FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities

January 19, 2021Ravie Lakshmanan
An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage (NAS) devices running on Linux systems to co-opt the machines into an  IRC botnet  for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency. The attacks deploy a new  malware variant called " FreakOut " by leveraging critical flaws fixed in Laminas Project (formerly Zend Framework) and Liferay Portal as well as an unpatched security weakness in TerraMaster, according to Check Point Research's new analysis published today and shared with The Hacker News. Attributing the malware to be the work of a long-time cybercrime hacker — who goes by the aliases Fl0urite and Freak on HackForums and Pastebin at least since 2015 — the researchers said the flaws —  CVE-2020-28188 ,  CVE-2021-3007 , and  CVE-2020-7961  — were weaponized to inject and execute malicious commands in the server. Regardless of the vulnerabilities exploit
Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users

Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users

January 05, 2021Ravie Lakshmanan
Cybersecurity researchers today revealed a wide-ranging scam targeting cryptocurrency users that began as early as January last year to distribute trojanized applications to install a previously undetected remote access tool on target systems. Called ElectroRAT by Intezer, the RAT is written from ground-up in Golang and designed to target multiple operating systems such as Windows, Linux, and macOS.  The apps are developed using the open-source Electron cross-platform desktop app framework. "ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware and evade most antivirus engines," the researchers said . "It is common to see various information stealers trying to collect private keys to access victims wallets. However, it is rare to see tools written from scratch and targeting multiple operating systems for these purposes." The campaign, first detected in December, is believed to have claimed over 6,500 victims based on th
Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices

Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices

December 15, 2020Ravie Lakshmanan
A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers. Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called " Gitpaste-12 ," which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL. The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020. Now according to Juniper, the  second wave of attacks  began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner ("ls"), a file with a list of passwords for brute-force attempts ("pass"), and a local privilege escalation exploit for x86_64 Linux systems. Th
Stantinko Botnet Now Targeting Linux Servers to Hide Behind Proxies

Stantinko Botnet Now Targeting Linux Servers to Hide Behind Proxies

November 24, 2020Ravie Lakshmanan
An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan at least since 2012 has now set its sights on Linux servers to fly under the radar. According to a new analysis published by Intezer today and shared with The Hacker News, the trojan masquerades as  HTTPd , a commonly used program on Linux servers, and is a new version of the malware belonging to a threat actor tracked as  Stantinko . Back in 2017, ESET researchers detailed a  massive adware botnet  that works by tricking users looking for pirated software into downloading malicious executables disguised as torrents to install rogue browser extensions that perform ad injection and click fraud. The covert campaign, which controls a vast army of half a million bots, has since received a substantial upgrade in the form of a  crypto-mining module  with an aim to profit from computers under their control. Although Stantinko has been traditionally a Windows malware, the expansion in their toolset to tar
SAD DNS — New Flaws Re-Enable DNS Cache Poisoning Attacks

SAD DNS — New Flaws Re-Enable DNS Cache Poisoning Attacks

November 12, 2020Ravie Lakshmanan
A group of academics from the University of California and Tsinghua University has uncovered a series of critical security flaws that could lead to a revival of DNS cache poisoning attacks. Dubbed " SAD DNS attack " (short for Side-channel AttackeD DNS), the technique makes it possible for a malicious actor to carry out an off-path attack, rerouting any traffic originally destined to a specific domain to a server under their control, thereby allowing them to eavesdrop and tamper with the communications. "This represents an important milestone — the first weaponizable network side channel attack that has serious security impacts," the researchers said. "The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache." Tracked as CVE-2020-25705, the findings were presented at the ACM Conference on Computer, and Communications Security (CCS '20) held this week. The flaw affects operating systems Linux 3.18-5.10, Windows Serv
Two New Chrome 0-Days Under Active Attacks – Update Your Browser

Two New Chrome 0-Days Under Active Attacks – Update Your Browser

November 11, 2020Ravie Lakshmanan
Google has patched two more zero-day flaws in the Chrome web browser for desktop, making it the fourth and fifth actively exploited vulnerabilities addressed by the search giant in recent weeks. The company released  86.0.4240.198  for Windows, Mac, and Linux, which it said will be rolling out over the coming days/weeks to all users. Tracked as CVE-2020-16013 and CVE-2020-16017, the flaws were discovered and reported to Google by "anonymous" sources, unlike previous cases, which were uncovered by the company's Project Zero elite security team. Google acknowledged that exploits for both the vulnerabilities exist in the wild but stopped short of sharing more specifics to allow a majority of users to install the fixes. According to the release notes, the two flaws are: CVE-2020-16013:  An "inappropriate implementation" of its V8 JavaScript rendering engine was reported on November 9. CVE-2020-16017:  An  use-after-free  memory corruption issue in Chrome
TrickBot Linux Variants Active in the Wild Despite Recent Takedown

TrickBot Linux Variants Active in the Wild Despite Recent Takedown

October 28, 2020Ravie Lakshmanan
Efforts to disrupt TrickBot may have  shut down  most of its critical infrastructure, but the operators behind the notorious malware aren't sitting idle. According to new findings shared by cybersecurity firm  Netscout , TrickBot's authors have moved portions of their code to Linux in an attempt to widen the scope of victims that could be targeted. TrickBot, a financial Trojan first detected in 2016, has been traditionally a Windows-based crimeware solution, employing different modules to perform a wide range of malicious activities on target networks, including credential theft and perpetrate ransomware attacks. But over the past few weeks, twin efforts led by the US Cyber Command and Microsoft have helped to  eliminate 94%  of TrickBot's command-and-control (C2) servers that were in use and the new infrastructure the criminals operating TrickBot attempted to bring online to replace the previously disabled servers. Despite the steps taken to impede TrickBot, Microsof
FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations

FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations

September 25, 2020Mohit Kumar
Amnesty International today exposed details of a new surveillance campaign that targeted Egyptian civil society organizations with previously undisclosed versions of FinSpy spyware designed to target Linux and macOS systems. Developed by a German company , FinSpy is extremely powerful spying software that is being sold as a legal law enforcement tool to governments around the world but has also been found in use by oppressive and dubious regimes to spy on activists. FinSpy, also known as FinFisher, can target both desktop and mobile operating systems, including Android, iOS, Windows, macOS, and Linux, to gain spying capabilities, including secretly turning on their webcams and microphones, recording everything the victim types on the keyboard, intercepting calls, and exfiltration of data. According to the human rights organization Amnesty International , the newly discovered campaign is not linked to 'NilePhish,' a hacking group known for attacking Egyptian NGOs in a ser
New Linux Malware Steals Call Details from VoIP Softswitch Systems

New Linux Malware Steals Call Details from VoIP Softswitch Systems

September 11, 2020Ravie Lakshmanan
Cybersecurity researchers have discovered an entirely new kind of Linux malware dubbed "CDRThief" that targets voice over IP (VoIP) softswitches in an attempt to steal phone call metadata. "The primary goal of the malware is to exfiltrate various private data from a compromised softswitch, including call detail records ( CDR )," ESET researchers said in a Thursday analysis . "To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a good understanding of the internal architecture of the targeted platform." Softswitches (short for software switches) are generally VoIP servers that allow for telecommunication networks to provide management of voice, fax, data and video traffic, and call routing. ESET's research uncovered that CDRThief targeted a specific Linux VoIP platform, namely the VOS2009 and 3000 softswitches from Chinese company Linknat, and had its malicious functionalit
New OpenSMTPD RCE Flaw Affects Linux and OpenBSD Email Servers

New OpenSMTPD RCE Flaw Affects Linux and OpenBSD Email Servers

February 25, 2020Mohit Kumar
OpenSMTPD has been found vulnerable to yet another critical vulnerability that could allow remote attackers to take complete control over email servers running BSD or Linux operating systems. OpenSMTPD , also known as OpenBSD SMTP Server, is an open-source implementation of the Simple Mail Transfer Protocol (SMTP) to deliver messages on a local machine or to relay them to other SMTP servers. It was initially developed as part of the OpenBSD project but now comes pre-installed on many UNIX-based systems. Discovered by experts at Qualys Research Labs, who also reported a similar RCE flaw in the email server application last month, the latest out-of-bounds read issue, tracked as  CVE-2020-8794 , resides in a component of the OpenSMTPD's client-side code that was introduced nearly 5 years ago. Just like the previous issue, which attackers started exploiting in the wild just a day after its public disclosure, the new OpenSMTPD flaw could also let remote hackers execute arbit
Critical OpenSMTPD Bug Opens Linux and OpenBSD Mail Servers to Hackers

Critical OpenSMTPD Bug Opens Linux and OpenBSD Mail Servers to Hackers

January 30, 2020Wang Wei
Cybersecurity researchers have discovered a new critical vulnerability ( CVE-2020-7247 ) in the OpenSMTPD email server that could allow remote attackers to take complete control over BSD and many Linux based servers. OpenSMTPD is an open-source implementation of the server-side SMTP protocol that was initially developed as part of the OpenBSD project but now comes pre-installed on many UNIX-based systems. According to Qualys Research Labs, who discovered this vulnerability, the issue resides in the OpenSMTPD's sender address validation function, called smtp_mailaddr(), which can be exploited to execute arbitrary shell commands with elevated root privileges on a vulnerable server just by sending specially crafted SMTP messages to it. The flaw affects OpenBSD version 6.6 and works against the default configuration for both, the locally enabled interface as well as remotely if the daemon has been enabled to listen on all interfaces and accepts external mail. "Exploit
New Linux Bug Lets Attackers Hijack Encrypted VPN Connections

New Linux Bug Lets Attackers Hijack Encrypted VPN Connections

December 06, 2019Swati Khandelwal
A team of cybersecurity researchers has disclosed a new severe vulnerability affecting most Linux and Unix-like operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android, that could allow remote 'network adjacent attackers' to spy on and tamper with encrypted VPN connections. The vulnerability, tracked as CVE-2019-14899, resides in the networking stack of various operating systems and can be exploited against both IPv4 and IPv6 TCP streams. Since the vulnerability does not rely on the VPN technology used, the attack works against widely implemented virtual private network protocols like OpenVPN, WireGuard, IKEv2/IPSec, and more, the researchers confirmed. This vulnerability can be exploited by a network attacker — controlling an access point or connected to the victim's network — just by sending unsolicited network packets to a targeted device and observing replies, even if they are encrypted. As explained by the researchers, though there are variati
UNIX Co-Founder Ken Thompson's BSD Password Has Finally Been Cracked

UNIX Co-Founder Ken Thompson's BSD Password Has Finally Been Cracked

October 11, 2019Mohit Kumar
A 39-year-old password of Ken Thompson , the co-creator of the UNIX operating system among, has finally been cracked that belongs to a BSD-based system, one of the original versions of UNIX, which was back then used by various computer science pioneers. In 2014, developer Leah Neukirchen spotted an interesting " /etc/passwd " file in a publicly available source tree of historian BSD version 3, which includes hashed passwords belonging to more than two dozens Unix luminaries who worked on UNIX development, including Dennis Ritchie, Stephen R. Bourne, Ken Thompson, Eric Schmidt, Stuart Feldman, and Brian W. Kernighan. Since all passwords in that list are protected using now-depreciated DES-based crypt(3) algorithm and limited to at most 8 characters, Neukirchen decided to brute-force them for fun and successfully cracked passwords (listed below) for almost everyone using password cracking tools like John the Ripper and hashcat. The ones that she wasn't able to crack
KDE Linux Desktops Could Get Hacked Without Even Opening Malicious Files

KDE Linux Desktops Could Get Hacked Without Even Opening Malicious Files

August 07, 2019Wang Wei
If you are running a KDE desktop environment on your Linux operating system, you need to be extra careful and avoid downloading any ".desktop" or ".directory" file for a while. A cybersecurity researcher has disclosed an unpatched zero-day vulnerability in the KDE software framework that could allow maliciously crafted .desktop and .directory files to silently run arbitrary code on a user's computer—without even requiring the victim to actually open it. KDE Plasma is one of the most popular open-source widget-based desktop environment for Linux users and comes as a default desktop environment on many Linux distributions, such as Manjaro, openSUSE, Kubuntu, and PCLinuxOS. Security researcher Dominik Penner who discovered the vulnerability contacted The Hacker News, informing that there's a command injection vulnerability in KDE 4/5 Plasma desktop due to the way KDE handles .desktop and .directory files. "When a .desktop or .directory file is
A New 'Arbitrary File Copy' Flaw Affects ProFTPD Powered FTP Servers

A New 'Arbitrary File Copy' Flaw Affects ProFTPD Powered FTP Servers

July 23, 2019Swati Khandelwal
A German security researcher has publicly disclosed details of a serious vulnerability in one of the most popular FTP server applications, which is currently being used by more than one million servers worldwide. The vulnerable software in question is ProFTPD , an open source FTP server used by a large number of popular businesses and websites including SourceForge, Samba and Slackware, and comes pre-installed with many Linux and Unix distributions, like Debian. Discovered by Tobias Mädel , the vulnerability resides in the mod_copy module of the ProFTPD application, a component that allows users to copy files/directories from one place to another on a server without having to transfer the data to the client and back. According to Mädel, an incorrect access control issue in the mod_copy module could be exploited by an authenticated user to unauthorizedly copy any file on a specific location of the vulnerable FTP server where the user is otherwise not allowed to write a file.
Microsoft Windows 10 will get a full built-in Linux Kernel for WSL 2

Microsoft Windows 10 will get a full built-in Linux Kernel for WSL 2

May 07, 2019Swati Khandelwal
Yes, you heard me right. Microsoft is taking another step forward to show its love for Linux and open source community by shipping a full Linux kernel in Windows 10 this summer. No, that doesn't mean Microsoft is making its Windows 10 a Linux distro, but the company will begin to ship an in-house custom built Linux kernel later this year starting with the Windows 10 Insider builds. Microsoft announced the move in a blog post while unveiling Windows Subsystem for Linux version 2.0 (or WSL 2 ) that will feature "dramatic file system performance increases" and support more Linux apps like Docker. So, to support this entirely new architecture for the WSL 2, Windows 10 will have its own Linux kernel. Although this is not the first time Microsoft has shipped a Linux kernel as the company has already shipped its own custom Linux kernel on Azure Sphere  last year, this is the first time a Linux kernel is shipped with Windows. Unlike Windows Subsystem for Linux version
Kali Linux 2019.1 Released — Operating System For Hackers

Kali Linux 2019.1 Released — Operating System For Hackers

February 18, 2019Swati Khandelwal
Wohooo! Great news for hackers and penetration testers. Offensive Security has just released Kali Linux 2019.1, the first 2019 version of its Swiss army knife for cybersecurity professionals. The latest version of Kali Linux operating system includes kernel up to version 4.19.13 and patches for numerous bugs, along with many updated software, like Metasploit, theHarvester, DBeaver, and more. Kali Linux 2019.1 comes with the latest version of Metasploit (version 5.0) penetration testing tool, which "includes database and automation APIs, new evasion capabilities, and usability improvements throughout," making it more efficient platform for penetration testers. Metasploit version 5.0 is the software's first major release since version 4.0 which came out in 2011. Talking about ARM images, Kali Linux 2019.1 has now once again added support for Banana Pi and Banana Pro that are on kernel version 4.19. "Veyron has been moved to a 4.19 kernel, and the Raspbe
Snapd Flaw Lets Attackers Gain Root Access On Linux Systems

Snapd Flaw Lets Attackers Gain Root Access On Linux Systems

February 13, 2019Mohit Kumar
Ubuntu and some other Linux distributions suffer from a severe privilege escalation vulnerability that could allow a local attacker or a malicious program to obtain root privileges and total control over the targeted system. Dubbed " Dirty_Sock " and identified as CVE-2019-7304 , the vulnerability was discovered by security researcher Chris Moberly, who privately disclosed it to Canonical, the maker of Ubuntu, late last month. The vulnerability resides in the REST API for snapd service , a universal Linux packaging system that makes an application compatible for various Linux distributions without requiring any modification. Built by Canonical, snapd comes by default installed on all versions of Ubuntu and also used by other Linux distributions, including Debian, OpenSUSE, Arch Linux, Solus, and Fedora. Snap packages are basically applications compressed together with their dependencies that also includes instructions on how to run and interact with other software o
RunC Flaw Lets Attackers Escape Linux Containers to Gain Root on Hosts

RunC Flaw Lets Attackers Escape Linux Containers to Gain Root on Hosts

February 12, 2019Mohit Kumar
A serious security vulnerability has been discovered in the core runC container code that affects several open-source container management systems, potentially allowing attackers to escape Linux container and obtain unauthorized, root-level access to the host operating system. The vulnerability, identified as  CVE-2019-5736 , was discovered by open source security researchers Adam Iwaniuk and Borys Popławski and publicly disclosed by Aleksa Sarai, a senior software engineer and runC maintainer at SUSE Linux GmbH on Monday. The flaw resides in runC—a lightweight low-level command-line tool for spawning and running containers, an operating-system-level virtualization method for running multiple isolated systems on a host using a single kernel. Originally created by Docker, runC is the default container run-time for Docker, Kubernetes, ContainerD, CRI-O, and other container-dependent programs, and is widely being used by major cloud hosting and server providers. runC Containe
Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems

Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems

January 22, 2019Swati Khandelwal
Just in time… Some cybersecurity experts this week arguing over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification, just because APT on Linux also does the same. Ironically, a security researcher just today revealed details of a new critical remote code execution flaw in the apt-get utility that can be exploited by a remote, man-in-the middle attacker to compromise Linux machines. The flaw, apparently, once again demonstrates that if the software download ecosystem uses HTTPS to communicate safely, such attacks can easily be mitigated at the first place. Discovered by Max Justicz, the vulnerability (CVE-2019-3462) resides in the APT package manager, a widely used utility that handles installation, update and removal of software on Debian, Ubuntu, and other Linux distributions. According to a blog post published by Justicz and details shared with The Hacker News, the APT utility doesn't properly
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.