A backdoor known as BPFdoor, linked to Chinese cyber actors, has been discovered operating within the Linux kernel of key telecom servers and Kubernetes pods. First identified in 2021, this backdoor is now posing a significant risk to global telecommunications infrastructure. Researchers found that BPFdoor's stealthy design allows it to evade detection while compromising critical systems. This situation is concerning as it impacts the reliability and security of telecom services worldwide, potentially allowing attackers to intercept communications or disrupt services. Companies in the telecom sector need to be vigilant and take immediate action to secure their systems against this threat.
Articles tagged "Linux"
Found 89 articles
Security researchers have identified two new malware strains specifically targeting Linux-based network devices. These malicious programs are being used by financially motivated cybercriminals, marking a shift from their previous association with nation-state espionage. The malware can facilitate distributed denial-of-service (DDoS) attacks and enable unauthorized cryptocurrency mining. This development is concerning as it indicates that attackers are now exploiting vulnerabilities that were once primarily used for geopolitical purposes. Organizations using Linux network devices need to be vigilant and enhance their security measures to protect against these evolving threats.
Recent vulnerabilities in CrackArmor's AppArmor have been discovered, allowing local users of Linux systems to escalate their privileges to root access. This flaw not only compromises the host system but also allows attackers to break out of container environments and launch denial-of-service (DoS) attacks. The implications are significant for any organization relying on Linux, as it increases the risk of unauthorized access and system disruption. Users should be particularly vigilant if they are running systems with AppArmor enabled, as these vulnerabilities could lead to severe security incidents if exploited. Immediate action is advised to mitigate potential risks associated with these flaws.
Researchers from Qualys have discovered nine vulnerabilities in the Linux AppArmor module, collectively known as CrackArmor. These flaws, which have been present since 2017, allow unprivileged users to bypass security protections and potentially gain root access. This poses a significant risk, particularly for systems using containerization, as it could weaken the isolation between containers. Organizations using Linux systems with AppArmor should be aware of these vulnerabilities and take appropriate action to secure their environments. The discovery emphasizes the need for regular security assessments and timely patch management to mitigate such risks.
Hackread – Cybersecurity News, Data Breaches, AI and More
Security researchers at Qualys have identified a vulnerability known as 'CrackArmor' in AppArmor, a security tool used to restrict the capabilities of applications on Linux systems. This flaw affects approximately 12.6 million Linux systems, potentially allowing attackers to gain root access and escape from containers. Such a breach can lead to unauthorized control over affected systems, posing significant risks to data integrity and system security. Users of Linux systems, especially those employing AppArmor for security, should take this issue seriously and stay informed about potential exploits. The discovery underscores the need for regular system updates and vigilance against emerging vulnerabilities.
Researchers have identified nine vulnerabilities in the Linux kernel's AppArmor module, collectively known as CrackArmor. These flaws allow unprivileged users to bypass security measures, escalate their access to root privileges, and compromise container isolation. This is particularly concerning for environments that rely on containers for security, as these vulnerabilities could undermine the protections that AppArmor is supposed to provide. Affected users include those utilizing Linux systems with AppArmor enabled, which is common in many enterprise and cloud environments. Organizations should prioritize patching and reviewing their AppArmor configurations to mitigate potential risks associated with these vulnerabilities.
U.S. and European law enforcement, in collaboration with private partners, have successfully disrupted the SocksEscort proxy network, which was powered by malware called AVRecon targeting Linux devices. This network primarily compromised edge devices, turning them into proxies for cybercriminal activities. The operation is significant as it demonstrates international cooperation in combating cybercrime and highlights the ongoing threat posed by malware that targets Linux systems. The disruption of SocksEscort is expected to hinder the operations of those using the network for illegal purposes, ultimately making it harder for them to execute attacks or conduct illicit activities online. This incident serves as a reminder for organizations to bolster their defenses against malware that can exploit even lesser-known platforms like Linux.
A Chinese-speaking cyber actor has reportedly been targeting critical sectors in Asia for several years using a mix of custom malware, open-source tools, and living-off-the-land (LOTL) binaries. This activity appears to be focused on espionage, affecting both Windows and Linux systems. The attackers' tactics, which combine tailored malware with readily available tools, suggest a sophisticated approach aimed at infiltrating sensitive networks. The long-term nature of this threat raises concerns for organizations in the region, as prolonged access could lead to significant data breaches and intelligence gathering. Companies in critical infrastructure sectors need to be vigilant and enhance their cybersecurity measures to defend against these persistent threats.
The latest Security Affairs Malware newsletter covers several significant malware threats that have emerged recently. Notably, a group identified as Stan Ghouls is targeting users in Russia and Uzbekistan using the NetSupport Remote Access Trojan (RAT), which allows attackers to control infected systems remotely. Another concerning development is the discovery of ZeroDayRAT, a new spyware designed to infiltrate both Android and iOS devices. Additionally, researchers have uncovered a Linux botnet named SSHStalker, which utilizes old-school IRC methods to compromise new victims. These activities demonstrate the evolving tactics of cybercriminals and emphasize the need for users and organizations to remain vigilant against these persistent threats.
The Hacker News
Researchers have identified a new botnet named SSHStalker that uses the Internet Relay Chat (IRC) protocol for its command-and-control operations. This botnet targets Linux systems, employing older kernel exploits to gain access. It features tools for hiding its activities, including log tampering and rootkit-like components. The existence of SSHStalker is concerning as it demonstrates that attackers are still leveraging outdated vulnerabilities to compromise systems. Organizations running Linux servers should assess their security measures and patch any known vulnerabilities to mitigate potential risks from this botnet.
Security Affairs
A new botnet named SSHStalker has emerged, targeting Linux servers and infecting around 7,000 systems. This botnet exploits vulnerabilities from older 2009-era software, utilizing IRC bots and mass-scanning techniques to gain access. Researchers from Flare discovered SSHStalker while monitoring SSH honeypots over a two-month period, specifically using weak credentials to attract attackers. The presence of this botnet underscores the ongoing risk posed by outdated security measures, especially for systems that have not been updated in years. Users and administrators of Linux servers need to be vigilant and ensure their systems are secure against such legacy exploits.
A new botnet called SSHStalker has compromised approximately 7,000 Linux systems, primarily those hosted in the cloud. This botnet uses Internet Relay Chat (IRC) for control and automates attacks via Secure Shell (SSH) to gain access to these systems. The attackers are exploiting weak SSH credentials, making it crucial for system administrators to strengthen their password policies and implement key-based authentication. This incident highlights the ongoing vulnerability of Linux servers to automated attacks and the importance of maintaining strong security practices. Users need to be vigilant and consider regular audits of their SSH configurations to prevent unauthorized access.
A new Linux botnet named 'SSHStalker' has reportedly infected around 7,000 systems. This botnet employs a mass-compromise strategy, utilizing various scanners and malware to gain control over vulnerable devices. The attackers are likely taking advantage of outdated security practices, which makes this incident a reminder for system administrators to enhance their security measures. The widespread nature of this botnet indicates that many users might be at risk, especially if their systems are not properly secured. Addressing these vulnerabilities is crucial to prevent further infections and potential data breaches.
VoidLink is a newly identified Linux-based command-and-control (C2) framework that is designed to facilitate credential theft and data exfiltration across multiple cloud platforms. This malware allows attackers to gain unauthorized access to sensitive information, posing a significant risk to organizations that rely on cloud services. As it targets systems in a multi-cloud environment, companies using cloud storage and applications are particularly vulnerable. The presence of AI code within VoidLink suggests that it may employ advanced techniques to evade detection and enhance its operational capabilities. This development is concerning for cybersecurity professionals, as it indicates a growing sophistication in the tools used by cybercriminals.
Researchers at Cisco Talos have identified a toolkit called DKnife that has been in use since 2019 to hijack router traffic for cyber-espionage purposes. This Linux-based toolkit allows attackers to inspect and alter data as it travels through routers and edge devices. It can also install malware on various devices, including PCs and smartphones. The implications of this toolkit are significant, as it poses a threat to the confidentiality and integrity of sensitive data transmitted over networks. Users and organizations relying on affected routers should be particularly vigilant about their network security practices to mitigate potential risks.