The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: linux

Experts Uncover Several C&C Servers Linked to WellMess Malware

Experts Uncover Several C&C Servers Linked to WellMess Malware

July 30, 2021Ravie Lakshmanan
Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign. More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ  said  in a report shared with The Hacker News. APT29, the moniker assigned to government operatives working for Russia's Foreign Intelligence Service (SVR), is believed to have been the  mastermind behind the massive SolarWinds supply chain attack  that came to light late last year, with the U.K. and U.S. governments formally pinning the intrusions on Russia earlier this April. The activity is being tracked by the cybersecurity community under various codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and
Microsoft Warns of LemonDuck Malware Targeting Windows and Linux Systems

Microsoft Warns of LemonDuck Malware Targeting Windows and Linux Systems

July 26, 2021Ravie Lakshmanan
An infamous cross-platform crypto-mining malware has continued to refine and improve upon its techniques to strike both Windows and Linux operating systems by setting its sights on older vulnerabilities, while simultaneously latching on to a variety of spreading mechanisms to maximize the effectiveness of its campaigns. "LemonDuck, an actively updated and robust malware that's primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations," Microsoft  said  in a technical write-up published last week. "Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity." The malware is notorious for its ability to propagate rapidly across an infected network to facilitate information theft an
New Windows and Linux Flaws Give Attackers Highest System Privileges

New Windows and Linux Flaws Give Attackers Highest System Privileges

July 20, 2021Ravie Lakshmanan
Microsoft's Windows 10 and the upcoming Windows 11 versions have been found vulnerable to a new local privilege escalation vulnerability that permits users with low-level permissions access Windows system files, in turn, enabling them to unmask the operating system installation password and even decrypt private keys. The vulnerability has been nicknamed "SeriousSAM." "Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files," CERT Coordination Center (CERT/CC) said in a  vulnerability note  published Monday. "This can allow for local privilege escalation (LPE)." The operating system configuration files in question are as follows - c:\Windows\System32\config\sam c:\Windows\System32\config\system c:\Windows\System32\config\security Microsoft, which is tracking the vulnerability under the identifier  CVE-2021-36934 , acknowledged the issue, but has yet to roll out a patch, o
Researchers Warn of Linux Cryptojacking Attackers Operating from Romania

Researchers Warn of Linux Cryptojacking Attackers Operating from Romania

July 19, 2021Ravie Lakshmanan
A threat group likely based in Romania and active since at least 2020 has been behind an active cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-forcer written in Golang. Dubbed " Diicot brute ," the password cracking tool is alleged to be distributed via a software-as-a-service model, with each threat actor furnishing their own unique API keys to facilitate the intrusions, Bitdefender researchers said in a report published last week. While the goal of the campaign is to deploy Monero mining malware by remotely compromising the devices via brute-force attacks, the researchers connected the gang to at least two  DDoS  botnets, including a  Demonbot  variant called chernobyl and a Perl  IRC bot , with the XMRig mining payload hosted on a domain named mexalz[.]us since February 2021. The Romanian cybersecurity technology company said it began its investigation into the group's hostile online activities in May 2021, leading
Unpatched Flaw in Linux Pling Store Apps Could Lead to Supply-Chain Attacks

Unpatched Flaw in Linux Pling Store Apps Could Lead to Supply-Chain Attacks

June 22, 2021Ravie Lakshmanan
Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software (FOSS) marketplaces for Linux platform that could be potentially abused to stage supply-chain attacks and achieve remote code execution (RCE). "Linux marketplaces that are based on the Pling platform are vulnerable to a wormable [cross-site scripting] with potential for a supply-chain attack," Positive Security co-founder Fabian Bräunlein  said  in a technical write-up published today. "The native PlingStore application is affected by an RCE vulnerability, which can be triggered from any website while the app is running." The Pling-based app stores impacted by the flaw include — appimagehub.com store.kde.org gnome-look.org xfce-look.org pling.com PlingStore allows users to search and install Linux software, themes, icons, and other add-ons that may not be available for download through the distribution's software center.  T
Wormable DarkRadiation Ransomware Targets Linux and Docker Instances

Wormable DarkRadiation Ransomware Targets Linux and Docker Instances

June 22, 2021Ravie Lakshmanan
Cybersecurity researchers are sounding the alarm bell over a new ransomware strain called " DarkRadiation " that's implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. "The ransomware is written in  Bash  script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro  said  in a report published last week. "The malware uses OpenSSL's AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram's API to send an infection status to the threat actor(s)." As of writing, there's no information available on the delivery methods or evidence that the ransomware has been deployed in real-world attacks. The findings come from an analysis of a collection of hacking tools hosted on the unidentified threat actor's infrastructure (IP address "185.141.25.168") in a
7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access

7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access

June 11, 2021Ravie Lakshmanan
A seven-year-old privilege escalation vulnerability discovered in the polkit system service could be exploited by a malicious unprivileged local attacker to bypass authorization and escalate permissions to the root user. Tracked as  CVE-2021-3560  (CVSS score: 7.8), the flaw affects polkit versions between 0.113 and 0.118 and was discovered by GitHub security researcher Kevin Backhouse, who said the issue was  introduced in a code commit  made on Nov. 9, 2013. Red Hat's Cedric Buissart  noted  that Debian-based distributions, based on polkit 0.105, are also vulnerable. Polkit  (née PolicyKit) is a toolkit for defining and handling authorizations in Linux distributions, and is used for allowing unprivileged processes to communicate with privileged processes. "When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileg
Researchers Warn of Facefish Backdoor Spreading Linux Rootkits

Researchers Warn of Facefish Backdoor Spreading Linux Rootkits

May 28, 2021Ravie Lakshmanan
Cybersecurity researchers have disclosed a new backdoor program capable of stealing user login credentials, device information and executing arbitrary commands on Linux systems. The malware dropper has been dubbed " Facefish " by Qihoo 360 NETLAB team owing its capabilities to deliver different rootkits at different times and the use of  Blowfish  cipher to encrypt communications to the attacker-controlled server. "Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the  Ring 3  layer and is loaded using the  LD_PRELOAD  feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions," the researchers  said . The NETLAB research builds on a previous analysis  published  by Juniper Networks on April 26, which documented an attack chain targeting Control Web Panel (CWP, formerly CentOS Web Panel) to inject an SSH implant wit
Researchers Uncover Stealthy Linux Malware That Went Undetected for 3 Years

Researchers Uncover Stealthy Linux Malware That Went Undetected for 3 Years

April 29, 2021Ravie Lakshmanan
A previously undocumented Linux malware with backdoor capabilities has managed to stay under the radar for about three years, allowing the threat actor behind the operation to harvest and exfiltrate sensitive information from infected systems. Dubbed " RotaJakiro " by researchers from Qihoo 360 NETLAB, the backdoor targets Linux X64 machines, and is so named after the fact that "the family uses rotate encryption and behaves differently for root/non-root accounts when executing." The findings come from an analysis of a  malware sample  it detected on March 25, although early versions appear to have been uploaded to VirusTotal as early as May 2018. A  total  of  four   samples  have been found to date on the database, all of which remain undetected by most anti-malware engines. As of writing, only seven security vendors flag the latest version of the malware as malicious. "At the functional level, RotaJakiro first determines whether the user is root or non-
Minnesota University Apologizes for Contributing Malicious Code to the Linux Project

Minnesota University Apologizes for Contributing Malicious Code to the Linux Project

April 26, 2021Ravie Lakshmanan
Researchers from the University of Minnesota apologized to the maintainers of Linux Kernel Project on Saturday for intentionally including vulnerabilities in the project's code, which led to the school being banned from contributing to the open-source project in the future. "While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission," assistant professor Kangjie Lu, along with graduate students Qiushi Wu and Aditya Pakki,  said  in an email. "We did that because we knew we could not ask the maintainers of Linux for permission, or they would be on the lookout for the hypocrite patches," they added. The apology comes over a study into what's called "hypocrite commits," which was  published  earlier this February. The project aimed to deliberately add  use-after-free  vulnerabil
Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux

Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux

April 24, 2021Ravie Lakshmanan
A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users' machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its  GitHub repository  were handled, resulting in a scenario where a malicious  pull request  — i.e., the proposed changes — could be automatically reviewed and approved. The flaw was fixed on April 19. Homebrew is a free and open-source software package manager solution that allows the installation of software on Apple's macOS operating system as well as Linux. Homebrew  Cask  extends the functionality to include command-line workflows for GUI-based macOS applications, fonts, plugins, and other non-open source software. "The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be
New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems

New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems

March 29, 2021Ravie Lakshmanan
Cybersecurity researchers on Monday disclosed two new vulnerabilities in Linux-based operating systems that, if successfully exploited, could let attackers circumvent mitigations for speculative attacks such as  Spectre  and obtain sensitive information from kernel memory. Discovered by  Piotr Krysiuk  of Symantec's Threat Hunter team, the flaws — tracked as CVE-2020-27170 and CVE-2020-27171 (CVSS scores: 5.5) — impact all Linux kernels prior to 5.11.8. Patches for the security issues were released on March 20, with Ubuntu, Debian, and Red Hat deploying fixes for the vulnerabilities in their respective Linux distributions. While  CVE-2020-27170  can be abused to reveal content from any location within the kernel memory,  CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory. First documented in January 2018,  Spectre and Meltdown  take advantage of flaws in modern processors to  leak data  that are currently processed on the computer, thereby allowing
Researchers Unveil New Linux Malware Linked to Chinese Hackers

Researchers Unveil New Linux Malware Linked to Chinese Hackers

March 10, 2021Ravie Lakshmanan
Cybersecurity researchers on Wednesday shed light on a new sophisticated backdoor targeting Linux endpoints and servers that's believed to be the work of Chinese nation-state actors. Dubbed " RedXOR " by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the  Winnti Umbrella  (or Axiom) threat group such as ​PWNLNX, ​XOR.DDOS​ and Groundhog. RedXOR's name comes from the fact that it encodes its network data with a scheme based on XOR, and that it's compiled with a legacy  GCC compiler  on an old release of Red Hat Enterprise Linux, suggesting that the malware is deployed in targeted attacks against legacy Linux systems. Intezer said  two   samples  of the malware were uploaded from Indonesia and Taiwan around Feb. 23-24, both countries that are known to be singled out by China-based threat groups. Aside from the overlaps in terms of the overall flow and functionalities and th
A New Linux Malware Targeting High-Performance Computing Clusters

A New Linux Malware Targeting High-Performance Computing Clusters

February 03, 2021Ravie Lakshmanan
High-performance computing clusters belonging to university networks as well as servers associated with government agencies, endpoint security vendors, and internet service providers have been targeted by a newly discovered backdoor that gives attackers the ability to execute arbitrary commands on the systems remotely. Cybersecurity firm ESET named the malware " Kobalos " — a nod to a " mischievous creature " of the same name from Greek mythology — for its "tiny code size and many tricks." "Kobalos is a generic backdoor in the sense that it contains broad commands that don't reveal the intent of the attackers," researchers Marc-Etienne M. Léveillé and Ignacio Sanmillan  said  in a Tuesday analysis. "In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers." Besides tracing the malware back to attacks against a nu
FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities

FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities

January 19, 2021Ravie Lakshmanan
An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage (NAS) devices running on Linux systems to co-opt the machines into an  IRC botnet  for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency. The attacks deploy a new  malware variant called " FreakOut " by leveraging critical flaws fixed in Laminas Project (formerly Zend Framework) and Liferay Portal as well as an unpatched security weakness in TerraMaster, according to Check Point Research's new analysis published today and shared with The Hacker News. Attributing the malware to be the work of a long-time cybercrime hacker — who goes by the aliases Fl0urite and Freak on HackForums and Pastebin at least since 2015 — the researchers said the flaws —  CVE-2020-28188 ,  CVE-2021-3007 , and  CVE-2020-7961  — were weaponized to inject and execute malicious commands in the server. Regardless of the vulnerabilities exploit
Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users

Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users

January 05, 2021Ravie Lakshmanan
Cybersecurity researchers today revealed a wide-ranging scam targeting cryptocurrency users that began as early as January last year to distribute trojanized applications to install a previously undetected remote access tool on target systems. Called ElectroRAT by Intezer, the RAT is written from ground-up in Golang and designed to target multiple operating systems such as Windows, Linux, and macOS.  The apps are developed using the open-source Electron cross-platform desktop app framework. "ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware and evade most antivirus engines," the researchers said . "It is common to see various information stealers trying to collect private keys to access victims wallets. However, it is rare to see tools written from scratch and targeting multiple operating systems for these purposes." The campaign, first detected in December, is believed to have claimed over 6,500 victims based on th
Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices

Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices

December 15, 2020Ravie Lakshmanan
A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers. Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called " Gitpaste-12 ," which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL. The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020. Now according to Juniper, the  second wave of attacks  began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner ("ls"), a file with a list of passwords for brute-force attempts ("pass"), and a local privilege escalation exploit for x86_64 Linux systems. Th
Stantinko Botnet Now Targeting Linux Servers to Hide Behind Proxies

Stantinko Botnet Now Targeting Linux Servers to Hide Behind Proxies

November 24, 2020Ravie Lakshmanan
An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan at least since 2012 has now set its sights on Linux servers to fly under the radar. According to a new analysis published by Intezer today and shared with The Hacker News, the trojan masquerades as  HTTPd , a commonly used program on Linux servers, and is a new version of the malware belonging to a threat actor tracked as  Stantinko . Back in 2017, ESET researchers detailed a  massive adware botnet  that works by tricking users looking for pirated software into downloading malicious executables disguised as torrents to install rogue browser extensions that perform ad injection and click fraud. The covert campaign, which controls a vast army of half a million bots, has since received a substantial upgrade in the form of a  crypto-mining module  with an aim to profit from computers under their control. Although Stantinko has been traditionally a Windows malware, the expansion in their toolset to tar
SAD DNS — New Flaws Re-Enable DNS Cache Poisoning Attacks

SAD DNS — New Flaws Re-Enable DNS Cache Poisoning Attacks

November 12, 2020Ravie Lakshmanan
A group of academics from the University of California and Tsinghua University has uncovered a series of critical security flaws that could lead to a revival of DNS cache poisoning attacks. Dubbed " SAD DNS attack " (short for Side-channel AttackeD DNS), the technique makes it possible for a malicious actor to carry out an off-path attack, rerouting any traffic originally destined to a specific domain to a server under their control, thereby allowing them to eavesdrop and tamper with the communications. "This represents an important milestone — the first weaponizable network side channel attack that has serious security impacts," the researchers said. "The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache." Tracked as CVE-2020-25705, the findings were presented at the ACM Conference on Computer, and Communications Security (CCS '20) held this week. The flaw affects operating systems Linux 3.18-5.10, Windows Serv
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.