FBI - NSA joint warning for new malware

The FBI and NSA released a joint security warning today detailing a new Linux malware strain. Both services say it was developed and used in actual attacks by Russian military hackers.

Both companies report that Russian hackers used the malicious Drovorub software from backdoors in compromised networks.

Με βάση τα στοιχεία που έχουν συλλέξει οι δύο υπηρεσίες, αξιωματούχοι του FBI και της NSA ισχυρίζονται ότι το κακόβουλο λογισμικό είναι έργο της APT28 (Fancy Bear, Sednit), ένα κωδικό όνομα που δόθηκε στους hackers που λειτουργούν στην στρατιωτική μονάδα 26165 της Διεύθυνσης Κεντρικής Πληροφορίας του Γενικού Επιτελείου της Ρωσίας (GRU από το General Staff Main Intelligence Directorate) στο 85ο Main SpecialService Center (GTsSS).

Through their joint warning, the two agencies hope to raise awareness among the private and public sectors USA, so that system administrators can quickly patch their systems, or add detection rules and prevention measures.

According to both services, Drovorub is one system multi-component that comes with an implant, one kernel module rootkit, ένα file transfer tool, ένα port-forwarding module, και φυσικά ένα command-and-control (C2) server.

Οι τεχνικές λεπτομέρειες που δημοσιεύθηκαν σήμερα από την NSA και το FBI για το σετ εργαλείων Drovorub της APT28 είναι πολύτιμες για τους researchers of cyberspace.

To prevent attacks, services recommend that organizations update any Linux system to a version running Kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement, a security feature that would prevent APT28 intruders. to Install the Drovorub Rootkit |

The joint security alert [PDF] contains instructions for mutability, detection of hiding behavior files, Snort rules and Yara rules. Of course all of the above are useful for developing appropriate detection measures.

Some interesting details we gathered from the 45 page security warning:

The Drovorub name is the name used by APT28 for malware, not the NSA or FBI.
It comes from drovo [როво], which translates to "firewood", or "wood", and [руб], which translates to "to fall" or "to cut".
The FBI and NSA say they have been able to link Drovorub to APT28 after Russian hackers re-used servers they had used before.
For example, both services claim that Drovorub was connecting to a C&C server previously used for functions of APT28 targeting IoT devices in spring 2019. The IP address was documented by Microsoft.