FBI - NSA joint warning for new malware

The FBI and released a joint security warning today detailing a new Linux malware strain. Both services say it was developed and used in actual attacks by Russian military hackers.

Both companies report that Russian hackers used the malicious Drovorub software from backdoors in compromised networks.

Με βάση τα στοιχεία που έχουν συλλέξει οι δύο υπηρεσίες, αξιωματούχοι του FBI και της NSA ισχυρίζονται ότι το κακόβουλο λογισμικό είναι έργο της APT28 (Fancy Bear, Sednit), ένα κωδικό όνομα που δόθηκε στους hackers που λειτουργούν στην στρατιωτική μονάδα 26165 της Διεύθυνσης Κεντρικής Πληροφορίας του Γενικού Επιτελείου της Ρωσίας (GRU από το Staff Main Intelligence Directorate) στο 85ο Main SpecialService Center (GTsSS).

Through their joint warning, the two agencies hope to raise awareness among the private and public sectors , so that system administrators can quickly patch their systems, or add detection rules and prevention measures.

According to both services, Drovorub is one multi-component that comes with an implant, one module rootkit, ένα file transfer tool, ένα port-forwarding module, και φυσικά ένα command-and-control (C2) server.

Οι τεχνικές λεπτομέρειες που δημοσιεύθηκαν σήμερα από την NSA και το FBI για το σετ εργαλείων Drovorub της APT28 είναι πολύτιμες για τους of cyberspace.

To prevent attacks, services recommend that organizations update any Linux system to a version running Kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement, a security feature that would prevent APT28 intruders. to Install the Drovorub Rootkit |

The joint security alert [PDF] contains instructions for mutability, detection of hiding behavior , Snort rules and Yara rules. Of course all of the above are useful for developing appropriate detection measures.

Some interesting details we gathered from the 45 page security warning:

The Drovorub name is the name used by APT28 for malware, not the NSA or FBI.
It comes from drovo [როво], which translates to "firewood", or "wood", and [руб], which translates to "to fall" or "to cut".
The FBI and NSA say they have been able to link Drovorub to APT28 after Russian hackers re-used servers they had used before.
For example, both services claim that Drovorub was connecting to a C&C server previously used for of APT28 targeting IoT devices in spring 2019. The IP address was documented by Microsoft.

iGuRu.gr The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

One Comment

Leave a Reply
  1. … Targeted the IOT….

    Instead, go into the house and see the washing machine washing on its own, without you having pressed the button.
    Instead of the refrigerator showing you an order to buy 6 eggs, while you have but 20…

    Wow what do we have to live in the near future.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).