NSA and FBI warn that new Linux malware threatens national security

UnknownSouljer

[H]F Junkie
Joined
Sep 24, 2001
Messages
9,041
https://arstechnica.com/?p=1698939

The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information, and execute malicious commands.

In a report that’s unusual for the depth of technical detail from a government agency, officials said the Drovorub malware is a full-featured tool kit that was has gone undetected until recently. The malware connects to command and control servers operated by a hacking group that works for the GRU, Russia’s military intelligence agency that has been tied to more than a decade of brazen and advanced campaigns, many of which have inflicted serious damage to national security.

“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 US Presidential Election as described in the 2017 Intelligence Community Assessment, Assessing Russian Activities and Intentions in Recent US Elections (Office of the Director of National Intelligence, 2017),” officials from the agencies wrote.
 
The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove. Welcome to the new world order?
 
But, but, but, I thought Linux was impervious to malware?

More seriously, I'm starting to read through the NSA's document, and their recommendation is to update to kernel 3.7 or later. Seriously? Isn't Linux up to kernel version 5.x by now? This is how most malware gets spread - by running outdated software and operating systems. Almost every time I see an article about a serious malware breach in the OS, whether it be Linux or Windows, it is an exploit that has already been fixed, but users and administrators haven't updated yet.

Edit: So I've scanned through the article, and it seems like this requires a client to be installed on the computer, but it does not state how the client would get installed. Seems like it is something that would only happen with direct access (exploiting other security flaws to install software, using phishing techniques, or bad actor with existing access). Check your download files, don't download anything you don't know, keep basic security on, and make sure you have updates to your computer system, you'll most likely be fine.
 
Last edited:
But, but, but, I thought Linux was impervious to malware?

More seriously, I'm starting to read through the NSA's document, and their recommendation is to update to kernel 3.7 or later. Seriously? Isn't Linux up to kernel version 5.x by now? This is how most malware gets spread - by running outdated software and operating systems. Almost every time I see an article about a serious malware breach in the OS, whether it be Linux or Windows, it is an exploit that has already been fixed, but users and administrators haven't updated yet.

Edit: So I've scanned through the article, and it seems like this requires a client to be installed on the computer, but it does not state how the client would get installed. Seems like it is something that would only happen with direct access (exploiting other security flaws to install software, using phishing techniques, or bad actor with existing access). Check your download files, don't download anything you don't know, keep basic security on, and make sure you have updates to your computer system, you'll most likely be fine.
Don't trust that email from your "supervisor" that says "just click this link and install/run the program....heheheh". If something needed to be installed IT should do it.
 
But, but, but, I thought Linux was impervious to malware?

More seriously, I'm starting to read through the NSA's document, and their recommendation is to update to kernel 3.7 or later. Seriously? Isn't Linux up to kernel version 5.x by now? This is how most malware gets spread - by running outdated software and operating systems. Almost every time I see an article about a serious malware breach in the OS, whether it be Linux or Windows, it is an exploit that has already been fixed, but users and administrators haven't updated yet.

But, but, but, if it ain't broke, don't fix it.
 
ALOT of servers out there are still running 2.x kernels... From what I have seen, I think squeeze is still the most common debian server in operation which uses 2.6 I believe. Rhel 7 is friggen everywhere and it is 3.2.
 
But, but, but, if it ain't broke, don't fix it.
But, but, but, I thought Linux was impervious to malware?

More seriously, I'm starting to read through the NSA's document, and their recommendation is to update to kernel 3.7 or later. Seriously? Isn't Linux up to kernel version 5.x by now? This is how most malware gets spread - by running outdated software and operating systems. Almost every time I see an article about a serious malware breach in the OS, whether it be Linux or Windows, it is an exploit that has already been fixed, but users and administrators haven't updated yet.

Edit: So I've scanned through the article, and it seems like this requires a client to be installed on the computer, but it does not state how the client would get installed. Seems like it is something that would only happen with direct access (exploiting other security flaws to install software, using phishing techniques, or bad actor with existing access). Check your download files, don't download anything you don't know, keep basic security on, and make sure you have updates to your computer system, you'll most likely be fine.
In addition to KarsusTG's observation above, we have embedded systems.

Embedded systems often rely on older kernels. Something like your WiFi router, printer with networking capability, NAS, etc. QNAP is still on kernel 4.14, iirc. WiFi routers are usually really bad, going as far as 2.x, usually due to some binary driver blob or specific library or... laziness? Blobs are acceptable if they come from 2 companies. Nvidia and Intel (wifi). Anyone else, and you'll be extremely lucky to ever get updates. Qualcomm? Marvell? Broadcom? Forget about it. Dr. Upton (Raspberry Pi founder) works for Broadcom and still cannot distribute (or get) any useful documentation or useful drivers for the long discontinued GPU in the Raspberry Pis. The embedded market is littered with these landmines and its easy to see why Linus Torvalds seems to hate binary blobs.
 
In addition to KarsusTG's observation above, we have embedded systems.

Embedded systems often rely on older kernels. Something like your WiFi router, printer with networking capability, NAS, etc. QNAP is still on kernel 4.14, iirc. WiFi routers are usually really bad, going as far as 2.x, usually due to some binary driver blob or specific library or... laziness? Blobs are acceptable if they come from 2 companies. Nvidia and Intel (wifi). Anyone else, and you'll be extremely lucky to ever get updates. Qualcomm? Marvell? Broadcom? Forget about it. Dr. Upton (Raspberry Pi founder) works for Broadcom and still cannot distribute (or get) any useful documentation or useful drivers for the long discontinued GPU in the Raspberry Pis. The embedded market is littered with these landmines and its easy to see why Linus Torvalds seems to hate binary blobs.
It's simple. If you can't get security updates for your old devices that run your network, and you care anything about security, you get new devices. And don't buy hardware that will lock you into versions of software. Simple things that get ignored all in the sake of "budget" until that Russian hack takes your state secrets or all your corporate information and you completely crash and burn.
 
Yeah there are an absolute crap ton of IoT devices running all sorts of 2.x kernel versions. You might need to install a client but that doesn’t mean physical access, that just means one improperly secured printer, vending machine, Wifi AP, HVAC monitoring relay, ... Its a very long list of “smart” devices that have been installed over the last decade may may be just running in a ceiling tile or janitorial closet happy and forgotten until it’s a problem. Proper networking security and firewall rules are the best way to secure these systems but they are also the easiest to have overly permissive rules on that can be exploited to access those devices.
 
All these devices on 2.x, are they old devices that just haven't been updated in forever or are they newer devices still using old kernel versions? If they are newer devices, why are they using such old software?
 
It's simple. If you can't get security updates for your old devices that run your network, and you care anything about security, you get new devices. And don't buy hardware that will lock you into versions of software. Simple things that get ignored all in the sake of "budget" until that Russian hack takes your state secrets or all your corporate information and you completely crash and burn.
Infinitely easier said than done. Even well recommended and expensive "prosumer" grade gear like Ubiquiti's EdgeRouters are still running 3.1.x. Short of spinning your own router, modem, switch, wireless AP, printer, TV, game console, etc, you're likely to end up with kernel versions (or BSD versions) from a time long past.
 
All these devices on 2.x, are they old devices that just haven't been updated in forever or are they newer devices still using old kernel versions? If they are newer devices, why are they using such old software?

centos 6 is 2.6 kernel

some think the rhel7-> setup with systemctl is utter crap

and speaking of utter crap...yum being changed to dnf in 8.x
yet yum still works it just calls dnf
 
Back
Top