this post was submitted on 04 Oct 2024
181 points (87.6% liked)

Technology

58685 readers
3998 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
181
Thousands of Linux systems infected by stealthy malware since 2021 (arstechnica.com)
submitted 1 week ago by misk@sopuli.xyz to c/technology@lemmy.world
35 comments fedilink hide all child comments
top 35 comments
sorted by: hot top controversial new old
[–] CyberSeeker@discuss.tchncs.de 82 points 1 week ago (1 children)

Shouldn’t be this hard to find out the attack vector.

Buried deep, deep in their writeup:

RocketMQ servers

  • CVE-2021-4043 (Polkit)
  • CVE-2023-33246

I’m sure if you’re running other insecure, public facing web servers with bad configs, the actor could exploit that too, but they didn’t provide any evidence of this happening in the wild (no threat group TTPs for initial access), so pure FUD to try to sell their security product.

Unfortunately, Ars mostly just restated verbatim what was provided by the security vendor Aqua Nautilus.

[–] nyan@lemmy.cafe 17 points 1 week ago

There's also a buried reference to using a several-years-patched gpac bug to gain root access before this thing can do most of its stealth stuff.

Basically, it needs your system to already have a known, unpatched RCE bug before it can get a foothold, and if you've got one of those you have problems that go way beyond stealth crypto miners stealing electricity.

[–] sirico@feddit.uk 79 points 1 week ago (2 children)

Can't be infected if I keep wiping my partition for a new shiny distro

[–] db0@lemmy.dbzer0.com 46 points 1 week ago (1 children)

Your install USB is infected by a rookit and reinstalls itself on connect.

[–] NiHaDuncan@lemmy.world 33 points 1 week ago (1 children)

Jokes on you, the rootkit is likely my own and I just forgot about it.

[–] db0@lemmy.dbzer0.com 28 points 1 week ago

It's tough being an ADHD Hacker

[–] saddlebag@lemmy.world 3 points 1 week ago

This was my first thought. I haven’t had the same os installed for a few months max, nevermind 3 years

[–] Buffalox@lemmy.world 77 points 1 week ago* (last edited 1 week ago) (3 children)

This story reeks of FUD.

exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets,

Because a "common misconfiguration" will absolutely make your system vulnerable!?!
OK show just ONE!

This is FUD to either prevent people from using Linux, or simply a hoax to get attention, or maybe to make you think you need additional security software.

[–] whyNotSquirrel@sh.itjust.works 29 points 1 week ago (1 children)

Crowd strike looking for a new market?

[–] ITeeTechMonkey@lemmy.world 25 points 1 week ago

Unfortunately they are already in the market and making a mess: https://www.theregister.com/2024/07/21/crowdstrike_linux_crashes_restoration_tools/

[–] cron@feddit.org 3 points 1 week ago (1 children)

ssh with an easy to guess root password?

[–] Buffalox@lemmy.world 4 points 1 week ago* (last edited 1 week ago)

Wouldn't that simply be a user mistake?
It's kind of like saying if you remove the password completely, it's vulnerable.

[–] blibla@slrpnk.net 1 points 1 week ago (1 children)

what does FUD stand for?

[–] Agent641@lemmy.world 4 points 1 week ago

Fear, uncertainty and doubt

[–] zante@lemmy.wtf 43 points 1 week ago (2 children)

No mention of transmission methods as far as I understand the article

[–] Buffalox@lemmy.world 52 points 1 week ago (2 children)

The whole thing sounds fishy. Like it's trying to convince people Linux is inherently vulnerable.

exploiting more than 20,000 common misconfigurations

Like WTF?

[–] nyan@lemmy.cafe 2 points 1 week ago (1 children)

It's kind of an iffy assertion. That's maybe the number of files it scans looking for misconfigurations it can exploit, but I'd bet there's a lot of overlap in the potential contents of those files (either because of cascading configurations, or because they're looking for the same file in slightly different places to mitigate distro differences). So the number of possible exploits is likely far fewer.

[–] Buffalox@lemmy.world 1 points 1 week ago* (last edited 1 week ago) (1 children)

maybe the number of files it scans looking for misconfigurations

So how did it get into the system to be able to scan configuration files?

[–] nyan@lemmy.cafe 4 points 1 week ago

Separate remote code execution vulnerability in unupdated versions of RocketMQ, a Chinese-developed messaging/streaming server, in the case of the infection described in the article. It's possible that there are a few other RCE vulns it can make use of, but 20000 of them seems unlikely.

[–] Buelldozer@lemmy.today 0 points 1 week ago* (last edited 1 week ago) (1 children)

Like it’s trying to convince people Linux is inherently vulnerable.

I'm typing this reply from a machine running KDE Plasma on top of Linux Mint 22.

I'm not sure what precisely what you mean by "inherently" but I'd like to point that "Linux" has security problems all over the place; the kernel has issues, the DEs have issues, the applications have issues. It's more secure than Windows but that's not a very high bar.

[–] Buffalox@lemmy.world 1 points 1 week ago (1 children)

I've been using Linux since 2005, and I've heard all sorts of stories about Linux having "security problems", and almost every time it turns out to be a problem that can't be exploited on it's own. but requires the use of other vulnerabilities.
The only exception I can recall is the zx util compression tool, which was detected before it was rolled out.

Zero day vulnerabilities have been non existent for 20 years to my knowledge.

[–] Buelldozer@lemmy.today 1 points 1 week ago* (last edited 1 week ago)

I’ve been using Linux since 2005

Okay, so as a n00b you can be somewhat forgiven. As someone who started with Slack in 1997 I don't have that excuse.

...and almost every time it turns out to be a problem that can’t be exploited on it’s own. but requires the use of other vulnerabilities.

Since when did chaining vulnerabilities make something not a problem? Are you claiming that the CUPS vulnerability announced in late September isn't an issue simply because it takes multiple steps?

The only exception I can recall is the zx util compression tool...

I don't mean to be an ass but were you asleep December 2021 through January 2022? Log4Shell was a 10 of 10 critical vulnerability!

What about CVE-2022-47939 from December 2022?

I can keep going if needed but I think my point is made. The vulnerabilities, even true kernel level stuff, are out there.

[–] JohnnyCanuck@lemmy.ca 10 points 1 week ago

They have an "attack flow" diagram that seems to indicate a hacker installing it directly through a known vulnerability.

[–] luciddaemon@lemmy.dbzer0.com 39 points 1 week ago (1 children)

Seeing the diagram, it only attacks servers with misconfigured rocketMQ or CVE-2023-33426, which is already patched. Am I understanding this correctly?

[–] cron@feddit.org 11 points 1 week ago

It probably has a large database of exploits it can use. The article claims 20k, but this seems to high for me.

[–] ColeSloth@discuss.tchncs.de 30 points 1 week ago

Thousands!? Shit. That's like all of them!

[–] li10@feddit.uk 14 points 1 week ago (3 children)

Sounds like it should at least be noticeable if you monitor resource usage?

[–] Pantsofmagic@lemmy.world 10 points 1 week ago (1 children)

That's how some people found it, but it would disappear when someone would login to investigate.

[–] li10@feddit.uk 9 points 1 week ago

Sure, but it’s still fairly detectable when it’s on a server at least, as long as you have monitoring. Just a bitch to pinpoint and fix.

[–] cron@feddit.org 5 points 1 week ago* (last edited 1 week ago) (1 children)

Yes, but they replace common tools like top or lsof with manipulated versions. This might at least trick less experienced sysadmins.

Edit: Some found out about the vulnerability by ressource alerts. Probably very easy in a virtualized environment. The malware can't fool the hypervisor ;)

[–] li10@feddit.uk 3 points 1 week ago

Not quite the monitoring I’m talking about though.

Basically, it seems like this would be a nightmare for a home user to detect, but a company is probably gonna pick up on this quite quickly with snmp monitoring (unless it somehow does something to that).

[–] linearchaos@lemmy.world 4 points 1 week ago* (last edited 1 week ago)

Vulnerable to 20,000 misconfigurations, But thearted by 42 billion different simple checks that we all do anyway.

5 minute load greater than 80% of the number of cores? That's an alarm.....

[–] sunbeam60@lemmy.one 5 points 1 week ago* (last edited 1 week ago) (1 children)

Luckily I sit right next to my home server and can hear when the fans kick in under load. The absence of noise tells me I don’t have this problem :)

[–] misk@sopuli.xyz 1 points 1 week ago

Mine is ultra low voltage and I barely maintain it so this article gave me a bit of a scare. I’ll probably wipe it by the next reinstall anyway since it’s been nearly 10 years of Ubuntu LTS upgrades and it’s a mess (both what I’ve done to it and what Ubuntu has done to itself).

[–] JoShmoe@ani.social 0 points 1 week ago

Millions of systems shut down by dumb microsoft os.