Alarming Unix attack is on the rise

[cryptomaniac_xxx]

It's so alarming now that even Unix systems is being exploited today by hackers.

1. FritzFrog malware attacks Linux servers over SSH to mine Monero.
2. Lucifer cryptomining DDoS malware now targets Linux systems.
3. Lemon_Duck cryptominer malware now targets Linux devices.
4. Stantinko's Linux malware now poses as an Apache web server.
5. FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities.

But what's more scary is the bulletin from NSA/FBI couple of days ago. It's a very technical paper about a so called DROVORUB malware.

1. Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware.

So the game is changing now, it's no longer 99% of malwares or trojans, or crypto jacking is Window Base OS, hackers are slowly exploiting vulnerabilities on Unix systems as well. I'm sure most members here have been advising to stay away from Windows and move to Linux or at least Unix flavors OS.

But it turns out that we are not really longer safe even with whatever OS we used. We can just minimized the risk here so we need to be extremely cautious now as we are not far behind to see that one day we will see malware stealing crypto will be propagated to Unix systems.

[ABCbits]

Isn't it attack that only affect very old OS which uses Linux Kernel 3.6 or lower? I doubt any users who use linux as personal computer (rather than server that hardly can be upgraded without break things) still use very outdated kernel.

[Charles-Tim]

I believe from the above diagram, you can easily get how the attack could be possible.

https://www.tripwire.com/state-of-security/featured/drovorub-malware/
The agencies say that the Linux strain malware has been developed and deployed in real-world attacks by Russian military hackers. The FBI says, “The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, whose activity is sometimes identified by the private sector as Fancy Bear, Strontium, or APT 28, is deploying malware called Drovorub, designed for Linux systems as part of its cyber espionage/spying operations.”

Preventative mitigations
Apply Linux Updates
It’s going to sound like a broken record, but sysadmin’s should continually check for and run the latest version of vendor-supplied software. Keeping updated software enables the user to take advantage of software advancements and the latest security detection and mitigation safeguards. Most importantly sysadmin’s should update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement.

Prevent untrusted kernel modules
System administrators are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system.

You can also use the link to know how to detect the malware, but following the above preventive measure by software update is necessary.
https://www.tripwire.com/state-of-security/featured/drovorub-malware/

[bitsurfer2014]

It's so alarming now that even Unix systems is being exploited today by hackers.

1. FritzFrog malware attacks Linux servers over SSH to mine Monero.

Apparently, the educational site ixl.com that my son is using amid this covid-19 pandemic were inaccessible for more than 2 days since the 20th because of this botnet's attack on its servers and the review center posted the link for the article below for further information.

I became a little worried by this kind of attack since its very concerning that you could only see the login page but your account will not be accessible even if you've entered your credentials which led me to think that my sons credentials might have been compromised that could result to huge loss of time and effort answering those test questions on the site.


new-p2p-botnet-infects-ssh-servers-all-over-the-world/?

[cryptomaniac_xxx]

I will add one on the list: Lemon_Duck cryptominer malware now targets Linux devices.

What it separate this cryptominer from others is that it will seek another cryptominers in the infected host and if it found one, will kill it so that it will have all the resources for himself. So it will keep on evolving and it is one of the more sophisticated and advance crypto miners design so far.

Other cryptominers are also being hunted down and killed by Lemon_Duck on compromised Linux boxes to make sure that the entire pool of resources is being used to mine cryptocurrency for its masters.

[cryptomaniac_xxx]

Latest one in the wild:

Stantinko's Linux malware now poses as an Apache web server.

Each of these Linux systems would be used to launch brute-force attacks against content management systems (CMSs) and various web-based systems, such as databases. Once it compromised these systems, the Stantinko gang would elevate its access to the underlying server OS (Linux or Windows) and then deployed a copy of itself and a crypto-miner to generate even more profits for the malware authors.

So this malware was released with a new version, a compact one that it is hard to detect in the beginning because the cyber actors really trim down the code to make detection more difficult for AV community. And it took them years to identify the latest variant.

[Apostlekin$$$]

Unfortunately it's very hard to get rid of DDOS malware from PC or Linux because even antivirus software or security softwares detects miners as a trojan or unsafe softwares, to mine successful on PC today you need to deactivate your antivirus software or completely uninstall them, not even Linux is safe

[akirasendo17]

I think why a system will be hack is with the negligence of the user or the administrator of the site, Linux system is hard to crack with the firewall built in it, plus the network firewall, to able to access the system via ssh means that someone inside access the server outside and signs the certificate on the maybe infected machine, as administrator those things should be known and it's a big no to do that, malware doesn't usually run on Linux, it would probably running on a windows machine and then from thier, maybe the hacker scan the network, at the end of the day, users should not access any site they are not sure what is it, it may not run on Linux but it can run on windows if you are familiar with the movie who send a fake site to an employee to order a burger, after the user, take the order the hacker already gain access of the network and access the servers.

[NotATether]

The FBI says, “The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, whose activity is sometimes identified by the private sector as Fancy Bear, Strontium, or APT 28, is deploying malware called Drovorub, designed for Linux systems as part of its cyber espionage/spying operations.”

So government agencies are still freely attacking the world's systems? We are f*cked...

Why are they allowed to do this? Don't they know that their actions directly contribute to damaging companies' infrastructure when (not if!) black-hat hackers gain control of them, and make security companies' jobs harder?

It is like the time NSA forced everyone to deploy 512-bit RSA certificates for HTTPS on the whole internet, and suddenly 10 years later, 10% of all HTTPS sites can be spied on by practically everyone. Or the time when GRU infected a ton of routers worldwide a year or two ago (Fancy Bear).

[Charles-Tim]

Linux system is hard to crack with the firewall built in it, plus the network firewall...

Linux is known to be the best privacy OS, but users negligence can still make malware penetrate it. People are very ignorant and not concerned about privacy, this has made other OS that deprived people of privacy to be their main target for usage, that is why experts that knows the benefit of Linux are the ones using Linux. But, there are malware that can be built to target Linux but this will also be the fault of the users that mistakenly download and install the malware, but because only few people uses Linux and hackers know it is the preference for expects that prefer privacy, that makes Linux malware to be reduced unlike other OS. Malware are specifically built for certain operative system.

[cryptomaniac_xxx]

Added another: FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities.

An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage (NAS) devices running on Linux systems to co-opt the machines into an IRC botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.

So the usual Monero mining attack by the threat actors, however these vulnerability attack are very alarming now as the attack is on the rise.

[NotATether]

An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage (NAS) devices running on Linux systems to co-opt the machines into an IRC botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.

So the usual Monero mining attack by the threat actors, however these vulnerability attack are very alarming now as the attack is on the rise.

And it's a complete waste of time on the part of the hacker. The CPUs inside NAS's are usually slow Celeron processors that are barely half as fast as the one in your computer.

Mining monero on a Celeron is a waste of time, and because this malware relies on obscure software being installed that 99% of users don't have, it only targets NAS's made by a certain vendor, so he (they?) gets, what, maximum a hundred or so pwned NAS's which will generate him about $10 a day. Woohoo?  

[cryptomaniac_xxx]

An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage (NAS) devices running on Linux systems to co-opt the machines into an IRC botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.

So the usual Monero mining attack by the threat actors, however these vulnerability attack are very alarming now as the attack is on the rise.

And it's a complete waste of time on the part of the hacker. The CPUs inside NAS's are usually slow Celeron processors that are barely half as fast as the one in your computer.

Mining monero on a Celeron is a waste of time, and because this malware relies on obscure software being installed that 99% of users don't have, it only targets NAS's made by a certain vendor, so he (they?) gets, what, maximum a hundred or so pwned NAS's which will generate him about $10 a day. Woohoo?  

That's why they are called criminals, - thief. They will take advantage of any situation that they can get their hands on. Doesn't matter if it's $100 a day or $10, as long as they are making easy money for them/they. And maybe some of them are doing this since 2017, so for sure by this time ROI is already good for them.