Tag Archives: Linux

HiddenWasp malware targets Linux systems – Don’t Panic!

23 June 2019

Ignacio Sanmillan’s excellent post(1) on the HiddenWasp malware could have been truly frightening: HiddenWasp targets Linux systems, the technology used is really impressive, and the detection rate on VirusTotal was zero as of 29 May 2019.

Unfortunately, the infected systems were already under the attacker’s control. Even if anti-malware solutions for Linux would have better detection capabilities it would hardly have mattered. Also, there is no need to implement sophisticated anti-malware evasion technologies. In the easiest case, the attacker must only define an anti-malware exception for the files to be downloaded.

Pattern based anti-malware solutions are reactive protective means. The anti-malware solution provider must first analyze the new malware and create a detection pattern. Thus, it is unsurprising that the detection rate on VirusTotal was and is still low.

The big questions remain open:

  • How was the RAT (Remote Access Trojan), the precondition for the infection with HiddenWasp, initially installed?
  • How did the attackers get root privileges?

Very often, it is lack of cyber hygiene that results in the takeover of a system. Implementation of cyber security best practice will raise the bar. Extended by a restrictive SELinux configuration will reduce the likelihood of getting compromised dramatically.

It’s free, and ready-to-use.

Have a great week.


    References
  1. Sanmillan I. Intezer – HiddenWasp Malware Stings Targeted Linux Systems [Internet]. Intezer. 2019 [cited 2019 Jun 2]. Available from: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

SambaCry – Keep Calm and Carry on

28 May 2017

Actually, it was only a matter of time until Samba, the popular implementation of the Windows SMB services on Linux and Unix, was hit by a WannyCry akin malware. All version of Samba from 3.5.0 onwards are vulnerable to CVE-2017-7494 or SambaCry.

The good news is that this vulnerability is complex to exploit: An attacker must upload a shared library with the malicious code to a writable samba share and then cause the server to load and execute it. Patches are available for the major Linux distributions.

How large is the problem? Shodan finds 471,578 systems which are exposed to the Internet.

SambaCry Shodan Map

SambaCry Shodan Map. Click to enlarge.

90% of the systems are operated in 3 countries, United Arab Emirates, Argentina, and Italy by the major telecommunication providers in these countries. Since an older version of Samba is used on this internet routers they are not vulnerable against SambaCry.

Most of the work has to be done in the United States and Germany. Although only 2 % of the affected systems are operated there, many organizations are affected.

Don’t panic! Even though many systems are affected by SambaCry this does not mean, that they are vulnerable against the exploit. Remember, you have to upload the malicious code to a writable Samba share on a server first. Under normal conditions, Linux admins don’t open Samba shares writable to everyone on servers exposed to the internet.

Thus, the best approach to reduce the risk is to check the Linux systems at the network perimeter with publicly available Samba shares and to close the writable, if any. As always, it is good to have an up-to-date system inventory in place. This will reduce the amount of work dramatically.

Take care! And don’t forget to check the network perimeter to your production networks.

LIFARS: Hackers Disable ‘Smart’ Rifle and Change Its Target, Remotely

4 August 2015

When I read the LIFARS post ‘Hackers Disable ‘Smart’ Rifle and Change Its Target, Remotely’ I felt really appalled. Not so much because the rifle’s built-in Linux server was compromised, but rather because the software developers ignored really all requirements about security and safety. Just one example from the post:

Every rifle contains a built-in network password that’s default and cannot be changed.

I do not know what planet these developers are living on, but it’s definitely not the earth.

From my point of view the software must force the marksman to change the password before he fires the first shot. In addition, Two Factor Authentication is mandatory in safety relevant cases, on a transaction basis, and with the second factor always entered directly on the rifle. Preferably through a custom grip, like the Walter PPK which Q gave to 007 in Skyfall.

Imagine security and safety standards are such bad in the billions of devices making up the Internet of Things universe. With this Doomsday is no longer just a religious concept …

Sleep well!