linux | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have taken the wraps off a new and entirely undetected Linux threat dubbed  OrBit , signally a growing trend of malware attacks geared towards the popular operating system. The malware gets its name from one of the filenames that's utilized to temporarily store the output of executed commands ("/tmp/.orbit"), according to cybersecurity firm Intezer. "It can be installed either with persistence capabilities or as a volatile implant," security researcher Nicole Fishbein  said . "The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands." OrBit is the fourth Linux malware to have come to light in a short span of three months after  BPFDoor ,  Symbiote , and  Syslogk . The malware also functions a lot like Symbiote in that it's designed to infect all of t

Cybersecurity researchers from Palo Alto Networks Unit 42  disclosed  details of a new security flaw affecting Microsoft's Service Fabric that could be exploited to obtain elevated permissions and seize control of all nodes in a cluster. The issue, which has been dubbed  FabricScape  ( CVE-2022-30137 ), could only be weaponized on containers that are configured to have  runtime access . It has been  remediated  as of June 14, 2022, in  Service Fabric 9.0 Cumulative Update 1.0 . Azure Service Fabric  is Microsoft's platform-as-a-service ( PaaS ) and a container orchestrator solution used to build and deploy microservices-based cloud applications across a cluster of machines. "The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource's host SF node and the entire cluster," Microsoft  said  as part of the coordinated disclosure process. "Though the bug exists on both Operating Syste

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to  privileged identity management  aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.  What is JIT and why is it important?   JIT privileged access provisioning  involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so. One of the key advantages of JIT provisioning

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to  add  a Linux vulnerability dubbed  PwnKit  to its  Known Exploited Vulnerabilities Catalog , citing evidence of active exploitation. The issue, tracked as  CVE-2021-4034  (CVSS score: 7.8), came to light in January 2022 and concerns a case of  local privilege escalation  in polkit's pkexec utility, which allows an authorized user to execute commands as another user. Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes. Successful exploitation of the flaw could induce pkexec to execute arbitrary code, granting an unprivileged attacker administrative rights on the target machine. It's not immediately clear how the vulnerability is being weaponized in the wild, nor is there any information on the identity of the threat actor that may

A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022. Dubbed  Panchan  by Akamai Security Research, the malware "utilizes its built-in concurrency features to maximize spreadability and execute malware modules" and "harvests SSH keys to perform lateral movement." The feature-packed botnet, which relies on a basic list of default SSH passwords to carry out a  dictionary attack  and expand its reach, primarily functions as a cryptojacker designed to hijack a computer's resources to mine cryptocurrencies. The cybersecurity and cloud service company noted it first spotted Panchan's activity on March 19, 2022, and attributed the malware to a likely Japanese threat actor based on the language used in the administrative panel baked into the binary to edit the mining configuration. Panchan is known to deploy and execute two miners, XMRig and nbhash, on the host

Windows and Linux systems are being targeted by a ransomware variant called HelloXD, with the infections also involving the deployment of a backdoor to facilitate persistent remote access to infected hosts. "Unlike other ransomware groups, this ransomware family doesn't have an active leak site; instead it prefers to direct the impacted victim to negotiations through  Tox chat  and onion-based messenger instances," Daniel Bunce and Doel Santos, security researchers from Palo Alto Networks Unit 42,  said  in a new write-up. HelloXD  surfaced in the wild on November 30, 2021, and is based off leaked code from Babuk, which was  published  on a Russian-language cybercrime forum in September 2021. The ransomware family is no exception to the norm in that the operators follow the tried-and-tested approach of  double extortion  to demand cryptocurrency payments by exfiltrating a victim's sensitive data in addition to encrypting it and threatening to publicize the inform

Cybersecurity researchers have taken the wraps off what they call a "nearly-impossible-to-detect" Linux malware that could be weaponized to backdoor infected systems. Dubbed  Symbiote  by threat intelligence firms BlackBerry and Intezer, the stealthy malware is so named for its ability to conceal itself within running processes and network traffic and drain a victim's resources like a  parasite . The operators behind Symbiote are believed to have commenced development on the malware in November 2021, with the threat actor predominantly using it to target the financial sector in Latin America, including banks like Banco do Brasil and Caixa, based on the domain names used. "Symbiote's main objective is to capture credentials and to facilitate backdoor access to a victim's machine," researchers Joakim Kennedy and Ismael Valenzuela said in a report shared with The Hacker News. "What makes Symbiote different from other Linux malware is that it infec

Common cybercriminals are a menace, there's no doubt about it – from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups. In fact, these tools can prove almost impossible to detect – and guard against. BVP47 is a case in point. In this article, we'll outline how this powerful state-sponsored malware has been quietly circulating for years, how it so cleverly disguises itself, and explain what that means for cybersecurity in the enterprise. Background story behind BVP47 It's a long story, fit for a spy novel. Earlier this year, a Chinese cybersecurity research group called Pangu Lab published an in-depth, 56-page report covering a piece of malicious code that the research group decided to call BVP47 (because BVP was the most common string in

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS). "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs  said  in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices." First disclosed by  Securonix  in March and later by  Fortinet , Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ. Enemybot, which is capable of carrying out  DDoS attacks , draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals

Unless you are living completely off the grid, you know the horrifying war in Ukraine and the related geopolitical tensions have dramatically increased cyberattacks and the threat of even more to come. The Cybersecurity and Infrastructure Security Agency (CISA) provides guidance to US federal agencies in their fight against cybercrime, and the agency's advice has proven so valuable that it's been widely adopted by commercial organizations too. In February, CISA responded to the current situation by issuing an unusual " SHIELDS UP! " warning and advisory. According to CISA, "Every organization—large and small—must be prepared to respond to disruptive cyber incidents." The announcement from CISA consisted of a range of recommendations to help organizations and individuals reduce the likelihood of a successful attack and limit damage in case the worst happens. It also contains general advice for C-level leaders, as well as a tip sheet on how to respond to r

Cybersecurity researchers have disclosed an unpatched security vulnerability that could pose a serious risk to IoT products. The issue, which was originally reported in September 2021, affects the Domain Name System (DNS) implementation of two popular C libraries called  uClibc  and  uClibc-ng  that are used for developing embedded Linux systems. uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, as well as Linux distributions like Embedded Gentoo, potentially exposing millions of IoT devices to security threats. "The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device," Giannis Tsaraias and Andrea Palanca of Nozomi Networks  said  in a Monday write-up. DNS poisoning , also referred to as DNS spoofing, is the technique of corrupting a DNS resolver cache — which provides clients with the IP address a

Microsoft on Tuesday disclosed a set of two privilege escalation vulnerabilities in the Linux operating system that could potentially allow threat actors to carry out an array of nefarious activities. Collectively called " Nimbuspwn ," the flaws "can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution," Jonathan Bar Or of the Microsoft 365 Defender Research Team  said  in a report. On top of that, the defects — tracked as  CVE-2022-29799 and CVE-2022-29800  — could also be weaponized as a vector for root access to deploy more sophisticated threats such as ransomware. The vulnerabilities are rooted in a  systemd  component called  networkd-dispatcher , a  daemon program  for the network manager system service that's designed to dispatch network status changes. Specifically, they relate to a combination of  directory t

How well do your Linux security practices stack up in today's challenging operating environment? Are you following the correct processes to keep systems up-to-date and protected against the latest threats? Now you can find out thanks to research independently conducted by the Ponemon Institute. The research sponsored by  TuxCare  sought to understand better how organizations are currently managing the security and stability of their Linux-based systems. The results allow all organizations operating Linux-based systems to benchmark their processes against their peers and best practices. You can get a copy of the complete report  HERE  if you can't wait to see the findings, but we've highlighted the key takeaways below if you'd like a preview. Research Goals  Understanding the current State of Enterprise Linux Security Management has never been more imperative. The number of high and critical vulnerabilities continues to grow each year significantly, and exploits aga

The recently disclosed critical Spring4Shell vulnerability is being actively exploited by threat actors to execute the Mirai botnet malware , particularly in the Singapore region since the start of April 2022. "The exploitation allows threat actors to download the Mirai sample to the '/tmp' folder and execute them after permission change using 'chmod ,'" Trend Micro researchers Deep Patel, Nitesh Surana, Ashish Verma said in a report published Friday. Tracked as CVE-2022-22965 (CVSS score: 9.8), the vulnerability could allow malicious actors to achieve remote code execution in Spring Core applications under non-default circumstances, granting the attackers full control over the compromised devices. The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog based on "evidence of active exploitation." This is

Between a series of recent high-profile cybersecurity incidents and the heightened geopolitical tensions, there's rarely been a more dangerous cybersecurity environment. It's a danger that affects every organization – automated attack campaigns don't discriminate between targets. The situation is driven in large part due to a relentless rise in vulnerabilities, with tens of thousands of brand-new vulnerabilities discovered every year. For tech teams that are probably already under-resourced, guarding against this rising tide of threats is an impossible task. Yet, in the battle against cybercrime, some of the most effective and most sensible mitigations are sometimes neglected. In this article, we'll outline why cybersecurity risks have escalated so dramatically – and which easy wins your organization can make for a significant difference in your cybersecurity posture, right now. Recent major cyberattacks point to the danger Cyber security has arguably never been mo

Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system. The vulnerability relates to  CVE-2022-0543 , a  Lua sandbox escape flaw  in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity. "Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu noted in an advisory released last month. According to  telemetry data  gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and execute the botnet binaries from another s

A financially motivated threat actor has been observed deploying a previously unknown rootkit targeting Oracle Solaris systems with the goal of compromising Automatic Teller Machine (ATM) switching networks and carrying out unauthorized cash withdrawals at different banks using fraudulent cards. Threat intelligence and incident response firm Mandiant is tracking the cluster under the moniker UNC2891, with some of the group's tactics, techniques, and procedures sharing overlaps with that of another cluster dubbed  UNC1945 . The intrusions staged by the actor involve "a high degree of OPSEC and leverage both public and private malware, utilities, and scripts to remove evidence and hinder response efforts," Mandiant researchers  said  in a new report published this week. Even more concerningly, the attacks spanned several years in some cases, during the entirety of which the actor remained undetected by taking advantage of a rootkit called CAKETAP, whic is designed to c

A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called  cr8escape  could be exploited by an attacker to break out of containers and obtain root access to the host. "Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data, and lateral movement across pods," CrowdStrike researchers John Walker and Manoj Ahuje  said  in an analysis published this week. A lightweight alternative to Docker,  CRI-O  is a  container runtime  implementation of the Kubernetes Container Runtime Interface (CRI) that's used to pull container images from registries and launch an Open Container Initiative ( OCI )-compatible runtime such as runC to spawn and run container processes. The vulnerability is rated 8.8 on the CVSS vulnerability scoring system and affects CRI-O versions 1.19 and later. Following responsible disclosure, patches have been released to address the fl

A previously undocumented backdoor has been observed targeting Linux systems with the goal of corralling the machines into a botnet and acting as a conduit for downloading and installing rootkits. Qihoo 360's Netlab security team called it  B1txor20  "based on its propagation using the file name 'b1t,' the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes." First observed propagating through the  Log4j vulnerability  on February 9, 2022, the malware leverages a technique called DNS tunneling to build communication channels with command-and-control (C2) servers by encoding data in DNS queries and responses. B1txor20, while also buggy in some ways, currently supports the ability to obtain a shell, execute arbitrary commands, install a rootkit, open a  SOCKS5 proxy , and functions to upload sensitive information back to the C2 server. Once a machine is successfully compromised, the malware utilizes the DNS tunnel to retrieve and execute co