#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

linux | Breaking Cybersecurity News | The Hacker News

New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion

New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion

Mar 01, 2024 Linux / Cyber Threat
Cybersecurity researchers have discovered a new Linux variant of a remote access trojan (RAT) called BIFROSE (aka Bifrost) that uses a deceptive domain mimicking VMware. "This latest version of Bifrost aims to bypass security measures and compromise targeted systems," Palo Alto Networks Unit 42 researchers Anmol Maurya and Siddharth Sharma  said . BIFROSE  is one of the long-standing threats that has been active since 2004. It has been offered for sale in underground forums for up to $10,000 in the past, according to a  report  from Trend Micro in December 2015. The malware has been put to use by a state-backed hacking group from China tracked as  BlackTech  (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard), which has a history of striking organizations in Japan, Taiwan, and the U.S. It's suspected that the threat actor purchased the source code or gained access to it around 2010, and repurposed the malware for use in its own
GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks

GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks

Feb 29, 2024 Linux / Network Security
Threat hunters have discovered a new Linux malware called  GTPDOOR  that's designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges ( GRX ) The  malware  is novel in the fact that it leverages the GPRS Tunnelling Protocol ( GTP ) for command-and-control (C2) communications. GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network ( PLMN ). Security researcher haxrob, who discovered two  GTPDOOR   artifacts  uploaded to VirusTotal from China and Italy, said the backdoor is likely linked to a known threat actor tracked as  LightBasin  (aka UNC1945), which was previously disclosed by CrowdStrike in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata. "When run, the f
How to Find and Fix Risky Sharing in Google Drive

How to Find and Fix Risky Sharing in Google Drive

Mar 06, 2024Data Security / Cloud Security
Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn't anyone's fault; it's inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.  For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.  Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched  Data Protection for Google Drive  to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit. How Material Security helps organ
FBI Warns U.S. Healthcare Sector of Targeted BlackCat Ransomware Attacks

FBI Warns U.S. Healthcare Sector of Targeted BlackCat Ransomware Attacks

Feb 28, 2024 Ransomware / Healthcare
The U.S. government is warning about the resurgence of BlackCat (aka ALPHV) ransomware attacks targeting the healthcare sector as recently as this month. "Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the government  said  in an updated advisory. "This is likely in response to the ALPHV/BlackCat administrator's post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023." The alert comes courtesy of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS). The BlackCat ransomware operation suffered a major blow late last year after a coordinated law enforcement operation led to the  seizure of its dark leak sites . But the takedown turned out to be a failure after the group managed to regain control of the
cyber security

Uncover Critical Gaps in 7 Core Areas of Your Cybersecurity Program

websiteArmor PointCyber Security / Assessment
Turn potential vulnerabilities into strengths. Start evaluating your defenses today. Download the Checklist.
Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

Feb 27, 2024 Malware / Network Security
An "intricately designed" remote access trojan (RAT) called  Xeno RAT  has been made available on GitHub, making it easily accessible to other actors at no extra cost. Written in C# and compatible with Windows 10 and Windows 11 operating systems, the open-source RAT comes with a "comprehensive set of features for remote system management," according to its developer, who goes by the name moom825. It includes a SOCKS5 reverse proxy and the ability to record real-time audio, as well as incorporate a hidden virtual network computing ( hVNC ) module along the lines of  DarkVNC , which allows attackers to gain remote access to an infected computer. "Xeno RAT is developed entirely from scratch, ensuring a unique and tailored approach to remote access tools," the developer  states  in the project description. Another notable aspect is that it has a builder that enables the creation of bespoke variants of the malware.  It's worth noting that moom825 is a
New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

Feb 21, 2024 Network Security / Vulnerability
Cybersecurity researchers have identified two authentication bypass flaws in open-source Wi-Fi software found in Android, Linux, and ChromeOS devices that could trick users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password. The vulnerabilities, tracked as CVE-2023-52160 and CVE-2023-52161, have been discovered following a security evaluation of  wpa_supplicant  and Intel's iNet Wireless Daemon ( IWD ), respectively. The flaws "allow attackers to trick victims into connecting to malicious clones of trusted networks and intercept their traffic, and join otherwise secure networks without needing the password," Top10VPN  said  in a new research conducted in collaboration with Mathy Vanhoef, who has previously uncovered Wi-Fi attacks like  KRACK ,  DragonBlood , and  TunnelCrack . CVE-2023-52161, in particular, permits an adversary to gain unauthorized access to a protected Wi-Fi network, exposing exis
New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

Feb 20, 2024 Server Security / Cryptojacking
A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts. "This particular campaign involves the use of a number of novel system weakening techniques against the data store itself," Cado security researcher Matt Muir  said  in a technical report. The cryptojacking attack is facilitated by a malware codenamed Migo, a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on Linux machines. The cloud security company said it detected the campaign after it identified an "unusual series of commands" targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options - protected-mode   replica-read-only aof-rewrite-incremental-fsync , and rdb-save-incremental-fsync It's suspected that these options are turned off in order to send additional commands to the Re
Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries

Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries

Feb 15, 2024 Firmware Security / Reverse Engineering
A reverse engineering of the firmware running on Ivanti Pulse Secure appliances has revealed numerous weaknesses, once again underscoring the challenge of securing software supply chains. Eclypsiusm, which acquired firmware version 9.1.18.2-24467.1 as part of the process, said the base operating system used by the Utah-based software company for the device is CentOS 6.4. "Pulse Secure runs an 11-year-old version of Linux which hasn't been supported since November 2020," the firmware security company  said  in a report shared with The Hacker News. The development comes as threat actors are capitalizing on a number of security flaws discovered in Ivanti Connect Secure, Policy Secure, and ZTA gateways to  deliver  a  wide range of malware , including web shells, stealers, and backdoors. The vulnerabilities that have come under active exploitation in recent months comprise CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Last week, Ivanti also  disclosed  another bug
Critical Boot Loader Vulnerability in Shim Impacts Nearly All Linux Distros

Critical Boot Loader Vulnerability in Shim Impacts Nearly All Linux Distros

Feb 07, 2024 Device Security / Vulnerability
The maintainers of shim have released  version 15.8  to address six security flaws, including a critical bug that could pave the way for remote code execution under specific circumstances. Tracked as  CVE-2023-40547  (CVSS score: 9.8), the vulnerability could be exploited to achieve a Secure Boot bypass. Bill Demirkapi of the Microsoft Security Response Center (MSRC) has been  credited  with discovering and reporting the bug. Major Linux distributions that use shim such as Debian , Red Hat , SUSE , and Ubuntu have all released advisories for the security flaw. "The shim's http boot support (httpboot.c) trusts attacker-controlled values when parsing an HTTP response, leading to a completely controlled out-of-bounds write primitive," Oracle's Alan Coopersmith  noted  in a message shared on the Open Source Security mailing list oss-security. Demirkapi, in a  post  shared on X (formerly Twitter) late last month, said the vulnerability "exists in every Linux bo
RunC Flaws Enable Container Escapes, Granting Attackers Host Access

RunC Flaws Enable Container Escapes, Granting Attackers Host Access

Jan 31, 2024 Software Security / Linux
Multiple security vulnerabilities have been disclosed in the runC command line tool that could be exploited by threat actors to escape the bounds of the container and stage follow-on attacks. The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed  Leaky Vessels  by cybersecurity vendor Snyk. "These container escapes could allow an attacker to gain unauthorized access to the underlying host operating system from within the container and potentially permit access to sensitive data (credentials, customer info, etc.), and launch further attacks, especially when the access gained includes superuser privileges," the company  said  in a report shared with The Hacker News. runC  is a tool for spawning and running containers on Linux. It was originally developed as part of Docker and later  spun out  into a separate open-source library in 2015. A brief description of each of the flaws is below - CVE-202
New Glibc Flaw Grants Attackers Root Access on Major Linux Distros

New Glibc Flaw Grants Attackers Root Access on Major Linux Distros

Jan 31, 2024 Vulnerability / Endpoint Security
Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246 (CVSS score: 7.8), the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by  syslog() and vsyslog()  for system logging purposes. It's said to have been accidentally introduced in August 2022 with the release of glibc 2.37. "This flaw allows local privilege escalation, enabling an unprivileged user to gain full root access," Saeed Abbasi, product manager of the Threat Research Unit at Qualys,  said , adding it impacts major Linux distributions like Debian, Ubuntu, and Fedora. A threat actor could exploit the flaw to obtain elevated permissions via specially crafted inputs to applications that employ these logging functions. "Although the  vulnerability  requires specific conditions to be exploited (such as an unusuall
Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

Jan 29, 2024 PyPI Repository / Malware
Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called WhiteSnake Stealer on Windows systems. The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS." "These packages incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files," Fortinet FortiGuard Labs  said  in an analysis published last week. "Depending on the victim devices' operating system, the final malicious payload is dropped and executed when these Python packages are installed." While Windows systems are infected with WhiteSnake Stealer, compromised Linux hosts are served a Python script designed to harvest information. The activity, which predominantly targets Windows users, overlaps with a  prior campaign  that JFrog
Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners

Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners

Jan 04, 2024 Cryptocurrency Miner / Malware
Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices. The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down. "These packages, upon initial use, deploy a CoinMiner executable on Linux devices," Fortinet FortiGuard Labs researcher Gabby Xiong  said , adding the activity shares overlaps with a  prior campaign  that involved the use of a package called culturestreak to deploy a crypto miner. The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script ("unmi.sh") that fetches a configuration file for the mining activity as well as the CoinMiner file  hosted on GitLab . The  ELF binary  file is then executed in the background using the  nohup command , thus ensuring that the process contin
Warning: Poorly Secured Linux SSH Servers Under Attack for Cryptocurrency Mining

Warning: Poorly Secured Linux SSH Servers Under Attack for Cryptocurrency Mining

Dec 27, 2023 Malware / Server Security
Poorly secured Linux SSH servers are being targeted by bad actors to install port scanners and dictionary attack tools with the goal of targeting other vulnerable servers and co-opting them into a network to carry out cryptocurrency mining and distributed denial-of-service (DDoS) attacks. "Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web," the AhnLab Security Emergency Response Center (ASEC)  said  in a report on Tuesday. In these attacks, adversaries try to guess a server's SSH credentials by running through a list of commonly used combinations of usernames and passwords, a technique called dictionary attack. Should the brute-force attempt be successful, it's followed by the threat actor deploying other malware, including scanners, to scan for other susceptible systems on the internet. Specifically, the scanner is designed to look for systems where port 22 -- which is associated with the SSH
SLAM Attack: New Spectre-based Vulnerability Impacts Intel, AMD, and Arm CPUs

SLAM Attack: New Spectre-based Vulnerability Impacts Intel, AMD, and Arm CPUs

Dec 09, 2023 Cyber Threat / Hardware Security
Researchers from the Vrije Universiteit Amsterdam have disclosed a new side-channel attack called  SLAM  that could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm. The attack is an end-to-end exploit for Spectre based on a new feature in Intel CPUs called  Linear Address Masking  ( LAM ) as well as its analogous counterparts from AMD (called  Upper Address Ignore  or  UAI ) and Arm (called  Top Byte Ignore  or  TBI ). "SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data," VUSec researchers  said , adding it could be leveraged to leak the root password hash within minutes from kernel memory. While LAM is presented as a security feature, the study found that it ironically degrades security and "dramatically" increases the  Spectre attack surface , resulting in a transient execution attack, which exploits  speculative execution  to extract sensitive data via
New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices

New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices

Dec 07, 2023 Mobile Security / Vulnerability
A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices. Tracked as  CVE-2023-45866 , the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim. "Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes," said security researcher  Marc Newlin , who  disclosed  the flaws to the software vendors in August 2023. Specifically, the attack deceives the target device into thinking that it's connected to a Bluetooth keyboard by taking advantage of an "unauthenticated pairing mechanism" that's defined in the Bluetooth specification. Successful exploitation of the flaw could permit an adversary in close physical proximity to connect to a vulnerable device and trans
New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand

New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand

Dec 07, 2023 Malware / Security Breach
A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors to main covert access to victim networks at lease since 2021. Named after a  nocturnal female spirit  of Southeast Asian folklore, the malware is "able to conceal its own presence during the initialization phase," Group-IB  said  in a report shared with The Hacker News. The exact initial access vector used to deploy Krasue is currently not known, although it's suspected that it could be via vulnerability exploitation, credential brute-force attacks, or downloaded as part of a bogus software package or binary. The malware's core functionalities are realized through a rootkit that masquerades as an unsigned VMware driver and allows it to maintain persistence on the host without attracting any attention. The rootkit is derived from open-source projects such as Diamorphine, Suterusu, and Rooty. This has raised the possibility that
LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In

LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In

Nov 22, 2023 Threat Analysis / Vulnerability
Multiple threat actors, including LockBit ransomware affiliates, are  actively exploiting  a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments. The joint advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Australian Signals Directorate's Australian Cyber Security Center (ASD's ACSC). "Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances," the agencies  said . "Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to
Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 21, 2023 Linux / Rootkit
The  Kinsing  threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. "Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the host's resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative impact on system performance," Trend Micro security researcher Peter Girnus  said . Kinsing  refers to a  Linux malware  with a history of targeting misconfigured containerized environments for cryptocurrency mining, often utilizing compromised server resources to generate illicit profits for the threat actors. The group is also known to quickly adapt its tactics to include newly disclosed flaws in web applications to breach target networks and deliver crypto miners. Earlier this month, Aqua  disclosed  the threat actor's attempts to exploit a Linux privilege escalation fla
Cybersecurity Resources