Το FBI και η NSA δημοσίευσαν σήμερα μια κοινή προειδοποίηση ασφαλείας που περιέχει λεπτομέρειες για ένα νέο στέλεχος κακόβουλου λογισμικού Linux. Και οι δύο υπηρεσίες αναφέρουν ότι αναπτύχθηκε και χρησιμοποιήθηκε σε πραγματικές attacks by military personnel hackers of Russia.
Both companies report that Russian hackers used the malicious Drovorub software from backdoors in compromised networks.
Based on data collected by the two agencies, FBI and NSA officials claim the malware is the work of APT28 (Fancy Bear, Sednit), a code name given to hackers operating in the Central Intelligence Agency's military unit 26165 of the General Staff of Russia (GRU from General Staff Main Intelligence Directorate) in the 85th Main SpecialService Center (GTsSS).
Through their joint warning, the two services hope to raise awareness in the US private and public sectors so that system administrators can quickly repair their systems, or add detection rules and prevention measures.
According to the two services, Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and of course a command-and-control (C2) server.
The technical details released today by the NSA and FBI about APT28's Drovorub toolkit are valuable to cyber investigators.
To avoid attacks, the services recommend that organizations update any Linux system to a version running with Kernel version 3.7 or later, "to take full advantage of kernel signing enforcement, a mode security that would prevent APT28 attackers from installing the Drovorub rootkit.
The joint security alert [PDF] contains instructions for variability, file hide behavior detection, Snort rules, and Yara rules. Of course all of the above are useful for developing appropriate detection measures.
Some interesting details we gathered from the 45 page security warning:
The name Drovorub is the name that uses APT28 for malware, not the NSA or FBI.
It comes from drovo [როво], which translates to "firewood", or "wood", and [руб], which translates to "to fall" or "to cut".
The FBI and NSA say they have been able to link Drovorub to APT28 after Russian hackers re-used servers they had used before.
For example, both services claim that Drovorub was connected to a C&C server that had previously been used for APT28 operations targeting IoT devices in the spring of 2019. The IP address was documented by Microsoft.
… Targeted the IOT….
Instead, go into the house and see the washing machine washing on its own, without you having pressed the button.
Instead of the refrigerator showing you an order to buy 6 eggs, while you have but 20…
Wow what do we have to live in the near future.