linux | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have detailed a new campaign that likely targets entities in Southeast Asia with a previously unrecognized Linux malware that's engineered to enable remote access to its operators, in addition to amassing credentials and function as a proxy server. The malware family, dubbed " FontOnLake " by Slovak cybersecurity firm ESET, is said to feature "well-designed modules" that are continuously being upgraded with a broad range of abilities, indicating an active development phase. Samples uploaded to VirusTotal point to the possibility that the very first intrusions utilizing this threat have been happening as early as May 2020. Avast  and  Lacework Labs  are tracking the same malware under the moniker HCRootkit. "The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks," ESET researcher Vladislav Hrčka  said . "To collect data or condu

Sysadmins know what the risks are of running unpatched services. Given the choice, and unlimited resources, most hardworking administrators will ensure that all systems and services are patched consistently. But things are rarely that simple. Technical resources are limited, and patching can often be more complicated than it appears at first glance. Worse, some services are so hidden in the background, that they just don't make it onto the list of things to be patched. QEMU is one of those services that tend to create difficulties with patching. It works away in the background and is easy to take for granted. Plus, patching QEMU involves significant technical and practical challenges – while requiring enormous resources. In this article, we'll address some of the difficulties around patching QEMU, and point to a solution that takes the toughest bits out of QEMU patching. Ignoring QEMU patching is a big risk You'll probably know about it if you're using QEMU – shor

Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy. Surprisingly, most network attacks are not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools that exploit edge-case vulnerabilities. Instead, they often use commonly available tools and exploit multiple vulnerability points. By simulating a real-world network attack, security teams can test their detection systems, ensure they have multiple choke points in place, and demonstrate the value of networking security to leadership. In this article, we demonstrate a real-life attack that could easily occur in many systems. The attack simulation was developed based on the MITRE ATT&CK framework, Atomic Red Team,  Cato Networks ' experience in the field, and public threat intel. In the end, we explain why a holistic secur

A recently discovered wave of malware attacks has been spotted using a variety of tactics to enslave susceptible machines with easy-to-guess administrative credentials to co-opt them into a network with the goal of illegally mining cryptocurrency. "The malware's primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they've been infected, these systems are then used to mine cryptocurrency," Akamai security researcher Larry Cashdollar  said  in a write-up published last week. The PHP malware — codenamed "Capoae" (short for "Сканирование," the Russian word for "Scanning") — is said to be delivered to the hosts via a backdoored addition to a WordPress plugin called "download-monitor," which gets installed after successfully brute-forcing WordPress admin credentials. The attacks also involve the deployment of a  Golang binary  with decryption functionality, with the obfusc

A number of malicious samples have been created for the Windows Subsystem for Linux (WSL) with the goal of compromising Windows machines, highlighting a sneaky method that allows the operators to stay under the radar and thwart detection by popular anti-malware engines. The "distinct tradecraft" marks the first instance where a threat actor has been found abusing WSL to install subsequent payloads. "These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls," researchers from Lumen Black Lotus Labs  said  in a report published on Thursday. Windows Subsystem for Linux, launched in August 2016, is a  compatibility layer  that's designed to run Linux binary executables (in ELF format) natively on the Windows platform without the overhead of a traditional virtual machine or dual-boot setup. The earliest artifacts date back to M

Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of  Cobalt Strike Beacon  that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetration testing tool — codenamed "Vermilion Strike" — marks one of the  rare Linux ports , which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a " threat emulation software ," with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions. "The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands and writing to files," Intezer researchers said in a report publishe

The Linux community was caught unprepared when, in December 2020, as part of a change in the way Red Hat supports and develops CentOS, Red Hat suddenly announced that it's cutting the official CentOS 8 support window from ten years – to just two, with support ending Dec 31, 2021. It created a peculiar situation where CentOS 7 users that did the right thing and upgraded quickly to CentOS 8 were left using an OS with just a year's official support remaining – while users of CentOS 7 still get full support until June 30, 2024. Worse, the fact that stable releases of CentOS were discontinued in exchange for the rolling-release CentOS Stream means that to secure their workloads most CentOS 8 users have to opt for an entirely different Linux distribution, with just a year to choose, evaluate and implement an alternative. Red Hat's unexpected decision underlined to what degree software users depend on official support windows for their software security. Countless organization

Close to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans. That's according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm Trend Micro , detailing the top threats and vulnerabilities affecting the operating system in the first half of 2021, based on data amassed from honeypots, sensors, and anonymized telemetry. The company, which detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share. In addition, by dissecting over 50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild o

Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign. More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ  said  in a report shared with The Hacker News. APT29, the moniker assigned to government operatives working for Russia's Foreign Intelligence Service (SVR), is believed to have been the  mastermind behind the massive SolarWinds supply chain attack  that came to light late last year, with the U.K. and U.S. governments formally pinning the intrusions on Russia earlier this April. The activity is being tracked by the cybersecurity community under various codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and

An infamous cross-platform crypto-mining malware has continued to refine and improve upon its techniques to strike both Windows and Linux operating systems by setting its sights on older vulnerabilities, while simultaneously latching on to a variety of spreading mechanisms to maximize the effectiveness of its campaigns. "LemonDuck, an actively updated and robust malware that's primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations," Microsoft  said  in a technical write-up published last week. "Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity." The malware is notorious for its ability to propagate rapidly across an infected network to facilitate information theft an

Microsoft's Windows 10 and the upcoming Windows 11 versions have been found vulnerable to a new local privilege escalation vulnerability that permits users with low-level permissions access Windows system files, in turn, enabling them to unmask the operating system installation password and even decrypt private keys. The vulnerability has been nicknamed "SeriousSAM." "Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files," CERT Coordination Center (CERT/CC) said in a  vulnerability note  published Monday. "This can allow for local privilege escalation (LPE)." The operating system configuration files in question are as follows - c:\Windows\System32\config\sam c:\Windows\System32\config\system c:\Windows\System32\config\security Microsoft, which is tracking the vulnerability under the identifier  CVE-2021-36934 , acknowledged the issue, but has yet to roll out a patch, o

A threat group likely based in Romania and active since at least 2020 has been behind an active cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-forcer written in Golang. Dubbed " Diicot brute ," the password cracking tool is alleged to be distributed via a software-as-a-service model, with each threat actor furnishing their own unique API keys to facilitate the intrusions, Bitdefender researchers said in a report published last week. While the goal of the campaign is to deploy Monero mining malware by remotely compromising the devices via brute-force attacks, the researchers connected the gang to at least two  DDoS  botnets, including a  Demonbot  variant called chernobyl and a Perl  IRC bot , with the XMRig mining payload hosted on a domain named mexalz[.]us since February 2021. The Romanian cybersecurity technology company said it began its investigation into the group's hostile online activities in May 2021, leading

Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software (FOSS) marketplaces for Linux platform that could be potentially abused to stage supply-chain attacks and achieve remote code execution (RCE). "Linux marketplaces that are based on the Pling platform are vulnerable to a wormable [cross-site scripting] with potential for a supply-chain attack," Positive Security co-founder Fabian Bräunlein  said  in a technical write-up published today. "The native PlingStore application is affected by an RCE vulnerability, which can be triggered from any website while the app is running." The Pling-based app stores impacted by the flaw include — appimagehub.com store.kde.org gnome-look.org xfce-look.org pling.com PlingStore allows users to search and install Linux software, themes, icons, and other add-ons that may not be available for download through the distribution's software center.  T

Cybersecurity researchers are sounding the alarm bell over a new ransomware strain called " DarkRadiation " that's implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. "The ransomware is written in  Bash  script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro  said  in a report published last week. "The malware uses OpenSSL's AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram's API to send an infection status to the threat actor(s)." As of writing, there's no information available on the delivery methods or evidence that the ransomware has been deployed in real-world attacks. The findings come from an analysis of a collection of hacking tools hosted on the unidentified threat actor's infrastructure (IP address "185.141.25.168") in a

A seven-year-old privilege escalation vulnerability discovered in the polkit system service could be exploited by a malicious unprivileged local attacker to bypass authorization and escalate permissions to the root user. Tracked as  CVE-2021-3560  (CVSS score: 7.8), the flaw affects polkit versions between 0.113 and 0.118 and was discovered by GitHub security researcher Kevin Backhouse, who said the issue was  introduced in a code commit  made on Nov. 9, 2013. Red Hat's Cedric Buissart  noted  that Debian-based distributions, based on polkit 0.105, are also vulnerable. Polkit  (née PolicyKit) is a toolkit for defining and handling authorizations in Linux distributions, and is used for allowing unprivileged processes to communicate with privileged processes. "When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileg

Cybersecurity researchers have disclosed a new backdoor program capable of stealing user login credentials, device information and executing arbitrary commands on Linux systems. The malware dropper has been dubbed " Facefish " by Qihoo 360 NETLAB team owing its capabilities to deliver different rootkits at different times and the use of  Blowfish  cipher to encrypt communications to the attacker-controlled server. "Facefish consists of 2 parts, Dropper and Rootkit, and its main function is determined by the Rootkit module, which works at the  Ring 3  layer and is loaded using the  LD_PRELOAD  feature to steal user login credentials by hooking ssh/sshd program related functions, and it also supports some backdoor functions," the researchers  said . The NETLAB research builds on a previous analysis  published  by Juniper Networks on April 26, which documented an attack chain targeting Control Web Panel (CWP, formerly CentOS Web Panel) to inject an SSH implant wit

A previously undocumented Linux malware with backdoor capabilities has managed to stay under the radar for about three years, allowing the threat actor behind the operation to harvest and exfiltrate sensitive information from infected systems. Dubbed " RotaJakiro " by researchers from Qihoo 360 NETLAB, the backdoor targets Linux X64 machines, and is so named after the fact that "the family uses rotate encryption and behaves differently for root/non-root accounts when executing." The findings come from an analysis of a  malware sample  it detected on March 25, although early versions appear to have been uploaded to VirusTotal as early as May 2018. A  total  of  four   samples  have been found to date on the database, all of which remain undetected by most anti-malware engines. As of writing, only seven security vendors flag the latest version of the malware as malicious. "At the functional level, RotaJakiro first determines whether the user is root or non-