A joint security notice from the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) is not common.Nor, for that matter, Linux security warnings.When there is a joint warning warning related to an undisclosed Linux in the past.security risk, you can assume that this is a serious problem.
Especially when the intelligence hackers of the Russian army, APT28 in this case, are involved.And things don’t get much more serious than a risk to national security.
I’m pretty used to writing about FBI reviews of Security Issues with Windows, and the NSA has also revealed critical Windows vulnerabilities before.What I’m used to is an ice set of cyber security from the police and intelligence services, publishing is all more unexpected because it considers a threat to Linux security.
Less surprising, in fact, is that russian army intelligence hackers focus billing.In fact, teams operating under the Russian General Intelligence Directorate (GRU) have given the impression on past NSA warnings.
The joint cybersecurity report in question, issued on August 13, takes a very technical dive into a Linux cyber espionage toolbox that the agencies have dubbed “Drovorub.”
Roughly translated as an English lumberjack, Drovorub, according to the FBI and the NSA, has evolved through Russian army hackers and has already been deployed in real-world attacks.Interestingly, It has also been reported that Drovo is Russian jargon for “pilots”.and when you go up to “rub” what cut or sting, you end up with a more literal translation of “killer pilot”.
More literal because Drovorub is described as “a set of malicious Linux computers consisting of an implant along with a central module rootkit, a port registration and movement motion tool, and a command and server (C2)”.A real security pilot killer if there ever was one.
A formula infiltration and espionage kit, which allows a backdoor to compromised networks that can be opened very stealthily through risky actors, in other words.And this risky player, according to the FBI and NSA, is APT28.
The Advanced Persistent Threat Group (APT) known as APT28 is also known as Fancy Bear.To be more precise, the piracy collective called APT28 would be related to Military Unit 26165, gru’s 85th main special centre (GTsSS).malware as evolved to be used through them.
APT28 is the same organization that last week was denounced through the Microsoft Security Response Center as guilty of a crusade targeting popular Internet of Things (IoT) devices. During an election year, it should be remembered that APT28 was also concerned about the piracy of Democrats.National Committee in 2016.
They’re not your “normal” hackers.
“I’m surprised everyone’s favorite fantasy bear (APT28) is lurking in Linux country,” says Ian Thornton-Trump, RSSI at Cyjax, a risk intelligence specialist.”Tactically, it makes sense to hack desktop computers, transfer to Linux Servers and hide in this infrastructure to stay persistent.”
Thornton-Trump told me that the skills of his average red Linux team, a penetration verification technique that mimics the operation of genuine adversaries, have driven the offensive cyber features to IoT, as most of those devices run a version, a very old version.. Linux.
“APT groups, especially Russian and Chinese groups, will be motivated through the express needs of the project and if the target’s data or functions are in a Linux environment, they will not impede the project’s objectives,” Thornton-Trump says.Fancy Bears on Linux systems, he told me, adding that they “want coverage as much as Windows systems, perhaps even more based on the juicy data or functions they provide in the target’s open source environment.”
In a fact sheet provided to me through the NSA, the two agencies say they “have no explanation as to why other risky actors are lately using this malware.”However, now that it has been revealed, other parties to the conflict will seek to use equipment and techniques.”We hope that all stakeholders will take steps to protect themselves against this,” concludes the document.
The FBI and NSA did not take mitigation notices into account to prevent the initial deployment of the attack; those already on the radar of all Linux security teams instead presented recommendations to save Drovorub’s patience and spread the stealthy nature of the threat.
The first mitigation tip is to apply the latest Linux updates and have the Linux kernel 3.7 or later used to take advantage of the resulting kernel signing application.
The time is to configure all systems to only load modules with valid virtual signatures to increase the difficulty of introducing malicious kernel modules.
Although Unified Extensible Firmware Interface (UEFI) activation is also cited as mandatory mitigation, it should be noted that the BootHole attack I recently reported will be taken into account and mitigated as much as possible.
I have been a generation journalist for 3 decades and have been editor-in-chief of PC Pro mag since the first factor in 1994.
I have been a generation journalist for 3 decades and have been editor-in-chief of PC Pro mag since the first factor in 1994.Three times winner of the BT Security Journalist of the Year award (2006, 2008, 2010) also lucky enough to be named BT’s Technological Journalist of the Year in 1996 for a progressive role in PC Pro called “Internet Threats”.In 2011, I won the Enigma Award for my lifelong contribution to computer security [email protected] if you have a story to reveal or a search to share.