FBI - NSA joint warning for new malware

The FBI and NSA released a joint warning today containing details of a new strain of Linux malware. Both services report that it was developed and used in real by Russian military hackers.

Οι δύο εταιρείες αναφέρουν ότι οι Ρώσοι hackers χρησιμοποίησαν το κακόβουλο λογισμικό Drovorub, από backdoors μέσα σε παραβιασμένα .

Με βάση τα στοιχεία που έχουν συλλέξει οι δύο υπηρεσίες, αξιωματούχοι του FBI και της NSA ισχυρίζονται ότι το κακόβουλο λογισμικό είναι έργο της APT28 (Fancy Bear, Sednit), ένα κωδικό which was given to hackers operating in military unit 26165 of the Central Intelligence Directorate of the General Staff of Russia (GRU from the General Staff Main Intelligence Directorate) in the 85th Main SpecialService Center (GTsSS).

Through their joint warning, the two agencies hope to raise awareness among the private and public sectors , so that system administrators can quickly patch their systems, or add detection rules and prevention measures.

According to the two services, Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and of course a command-and-control (C2) server.

The technical details released today by the NSA and FBI about APT28's Drovorub toolkit are valuable to cyber investigators.

To prevent attacks, services recommend that organizations update any Linux system to a version running Kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement, a security feature that would prevent APT28 intruders. to Install the Drovorub Rootkit |

The joint security alert [PDF] contains instructions for variability, file hide behavior detection, Snort rules, and Yara rules. Of course all of the above are useful for developing appropriate detection measures.

Some interesting details we gathered from the 45 page security warning:

The Drovorub name is the name used by APT28 for malware, not the NSA or FBI.
It comes from drovo [როво], which translates to "firewood", or "wood", and [руб], which translates to "to fall" or "to cut".
The FBI and NSA say they have been able to link Drovorub to APT28 after Russian hackers re-used servers they had used before.
For example, both services claim that Drovorub was connected to a C&C server that had previously been used for APT28 operations targeting IoT devices in the spring of 2019. The IP address was documented by Microsoft.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

One Comment

Leave a Reply
  1. … Targeted the IOT….

    Instead, go into the house and see the washing machine washing on its own, without you having pressed the button.
    Instead of the refrigerator showing you an order to buy 6 eggs, while you have but 20…

    Wow what do we have to live in the near future.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).