Explore top 10 tips to secure your open-source projects now. Read More
×Linux admins and infosec pros, we’ve got a real problem on our hands. There’s a group out there—the Houken threat actor—that’s not messing around. These guys have been targeting industries that form the backbone of society: government, telecoms, finance, you name it. Using unpatched Ivanti devices as their entry point, they’re pulling off some slick and dangerous moves. This isn’t some dime-a-dozen botnet attack or basic ransomware scheme—it’s targeted, it’s precise, and it’s making life a nightmare for Linux admins tasked with safeguarding critical systems. . You’ll want to sit down for this one, because they’re not just grabbing credentials or tossing a webshell onto your server (although they’re doing that, too). Houken is injecting a full-on Linux kernel rootkit , and if just reading that makes your stomach drop, you’re not alone. Let’s walk through what’s happening here and what steps we can take to push back. This Isn’t Just a "Patch It and Forget It" Situation Here’s the deal: the Houken campaign is patient, crafty, and relentless. They’ve been at it since late 2024, zeroing in on unpatched Ivanti CSA devices. These appliances, often deployed in environments where uptime is sacred, are being exploited via zero-day vulnerabilities . The attack doesn’t end with an initial breach—they bring a whole toolkit with them. The first thing they do is snatch admin credentials. With those in hand, they’re off to the races: deploying webshells (both off-the-shelf and their own nasty creations) and setting up persistence. And then comes the real kicker—their pièce de résistance—the dreaded Linux kernel rootkit. Once this rootkit gets loaded (we’re talking about a nasty piece of work called sysinitd.ko), you’re no longer in charge of your system, no matter what top or netstat says. They can intercept kernel operations, monitor traffic, tweak system behaviors, and most importantly, cover their tracks. This isn’t your garden-variety “oops,reboot and fix it” kind of malware. This is deep. Anatomy of the Attack: How Does Houken Get Its Hooks In? Breaking down their strategy is a bit like dissecting a stealth bomber—you marvel at the engineering while sweating how to defend against it. Here’s what Houken’s doing, step by step: Ivanti CSA Exploits The attackers leverage vulnerabilities in Ivanti CSA devices to break into networks. These devices often sit at the edge, acting as gateways to bigger systems. Perfect targets. Credential Theft Once they’re in, they extract administrative credentials using Python scripts. Here’s the clever part: these scripts encode data in Base64 to fly under the radar. Logs that seem fine at first glance? Yeah, not so much. Webshell Deployment PHP webshells are dropped onto the system to allow remote access. They’ll use these shells—both prebuilt versions and ones tailored for your environment—to walk through your network quietly. Kernel Rootkit Deployment This is where things get terrifying. The sysinitd.ko kernel rootkit gets installed, and suddenly, everything you rely on to monitor the system—whether it’s ps, lsof, or kernel trace logs—is prone to manipulation. It slides in undetected, controlling what the system shows you. Persistence and Lateral Movement If the rootkit wasn’t bad enough, there’s a user-space controller (sysinitd) working alongside it. This piece lets attackers manipulate the rootkit later on and ensures their presence doesn’t go away after a reboot. Step Zero: Mitigation Starts with Hardening Access First things first: if you’re using Ivanti CSA devices, lock them down now. These devices often sit in tightly controlled, sensitive environments, but the moment they’re left unpatched or misconfigured, they become entry points for the nightmare that’s Houken. Start by applying any available patches immediately. Oh, and do not—under any circumstances—leave these devices directly accessible from the internet. Put thembehind proper firewalls. Ideally, pair that with strict access rules, like IP whitelists or strictly managed VPN connections . If you have these devices running “out in the wild” with poor access policies, you’re leaving the front door wide open for attackers to walk in. For Linux systems, make sure your kernel module handling isn’t wide open. Limiting dynamic module loading on production systems is a lifesaver here. If your system doesn’t need to load modules on the fly, make that the default state. What Indicators of Compromise Should I Watch Out For? The thing is, many administrators don’t realize their systems are compromised until it’s too late. With a kernel rootkit in play, basic commands like ps or lsmod can’t always be trusted. You’ll want to think more advanced: Check for weird Base64-encoded Python scripts. Attackers love these because they slip unnoticed under standard file monitoring. Hunt for anomalies in kernel activity. Tools like rkhunter and chkrootkit might help catch something the attackers missed, but know this: a stealthy rootkit can slip past even these tools. Examine logs for strange PHP webshell behavior. Look for unusual IP-based admin access or commands issued outside normal operational hours. Kernel Rootkit Defense (This Isn’t a Game) Linux admins, take this bit seriously—kernel rootkits are not your average virus. Here’s what you can do to get ahead of them: Kernel Hardening: Use tools like SELinux or AppArmor to restrict untrusted code. For managed live patching, look into solutions like Ksplice. Log Everything: Rootkits aim to leave few traces, but pair kernel-level security with external logging to detect what slips through. Forward logs to hardened remote logging servers. Keep Systems Minimal: If you’re running a server that doesn’t need random modules, use a hardened kernel with strict module loading policies. Real-World Tips for the Haul If a system smells fishy—whetherit’s sudden performance degradation, admin credentials getting locked out, or netstat showing strange connections—assume the worst until proven otherwise. Isolate the machine immediately. Once a rootkit gets deployed, scrubbing the system clean might be wishful thinking. Plan to rebuild the box instead. Add EDR solutions into your stack if you can (open-source solutions like Wazuh or OSSEC can be a good start). These tools chew through logs better than human eyes ever could, pointing you toward unusual behavior before it spirals. Our Final Thoughts: Step Up & Shut It Down The Houken group represents exactly the kind of adversary that keeps security teams up at night. They’ve got the skill to play long games, the patience to stay in stealth mode, and the tools to turn your Linux server into their playground. The good news? They’re not invincible. Targeted attacks like this require a proactive, vigilant defense. Stay patched , lock down network access, and deploy every logging and monitoring tactic you can manage. The Linux community often wins because of its shared vigilance—let’s keep that tradition alive! . Attackers exploit weaknesses in Ivanti CSA to deploy kernel rootkits on Linux machines. Urgent measures are necessary for system administrators.. rootkit, Ivanti CSA, Houken, Linux security, credential theft. . Brittany Day
In recent months, Linux security administrators and WordPress site owners have encountered a formidable adversary: MUT-1244 . This threat actor has been unleashing havoc by targeting academics, penetration testers, red teamers, security researchers, and other threat actors. MUT-1244's primary goal is to acquire sensitive data, including AWS access keys and WordPress account credentials. . Their campaign leverages trojanized GitHub repositories designed to fool even the most diligent users. By disguising malicious code as legitimate tools and repositories, MUT-1244 has managed to steal over 390,000 credentials. This article will delve into how MUT-1244 operates, highlighting the infection vectors, the extent of credential exfiltration, and the critical indicators of compromise you need to watch out for. We'll break down the practical steps Linux security admins can take to safeguard their systems and data, from verifying software sources to implementing robust credential management practices. By understanding and recognizing the tactics employed by MUT-1244, you can better protect your environment against this persistent and evolving threat. Infection Vectors: Trojanized GitHub Repositories One of the primary ways MUT-1244 has managed to infiltrate systems is through trojanized GitHub repositories. Many security professionals, including penetration testers and red teamers, rely on various open-source tools on GitHub to perform their tasks. MUT-1244 has exploited this trust by creating repositories that appear legitimate but are laden with malicious code. When unsuspecting users clone and execute these repositories, they inadvertently run malicious scripts that compromise their systems. These scripts swiftly harvest credentials and other sensitive data, relaying the information to the attackers. MUT-1244 has been particularly cunning in ensuring that the malicious repositories are well-crafted and the malicious code is deeply embedded, making it difficult for users to immediately detectanything amiss. Exfiltration: The Scope of the Breach The exfiltration of credentials is the core objective of MUT-1244's campaign. By specifically targeting tools that offensive security professionals would use, the threat actor has gathered a vast trove of sensitive data, including AWS access keys and WordPress account credentials. These credentials are critical, as they can provide attackers direct access to various services and platforms, potentially leading to further exploitation and data breaches. The trojanized tools used in these attacks are designed to look like legitimate credentials checkers, which security professionals use to audit and manage passwords and keys. But instead of merely checking the credentials, these tools are configured to capture and exfiltrate them. Sometimes, the compromised tools even provide normal feedback, making it harder for users to realize they have been duped. Indicators of Compromise: What to Watch Out For Understanding the indicators of compromise (IoCs) associated with MUT-1244 can help in early detection and remediation. Some of the most important IoCs to be aware of include phishing email tactics and known malicious GitHub users and repositories. One common phishing tactic involves sending emails with subjects like "Notification: Important CPU Microcode Update for High-Performance Computing (HPC) Users" from senders such as
Canonical has taken steps to address the growing problem of cryptocurrency credential-stealing apps in the Snap store by introducing manual reviews for all new Snap name registrations. This move by Canonical reflects a temporary measure to tackle the influx of scam apps. . This change signifies an acknowledgment of the severity of the problem and an effort to enhance the security of the Snap store. However, it also raises questions about the effectiveness of the prior automated review process and the potential backlog the manual review may create. Why Are These Scams & Canonical's Policy Changes Significant for Admins & Security Practitioners? These scams exploit users' trust by masquerading as legitimate apps and employing simple social engineering techniques to extract their credentials. Apps look legitimate because the Snap Store badges them as 'safe.' In one case, a Snap store user lost nine Bitcoins, valued at approximately $490,000, after installing a fake "Exodus" wallet app. This issue raises larger concerns about cryptocurrency and non-fungible token (NFT) trading security. It prompts questions about the lack of regulation and the potential risks of engaging in digital currency transactions. It also highlights the importance of critical thinking and due diligence when dealing with new technologies and financial instruments. This issue serves as a wake-up call for security practitioners to reevaluate security practices. Linux admins, infosec professionals, and sysadmins must be vigilant and stay informed about the latest scams and vulnerabilities in the open-source ecosystem. The need for a multifaceted approach to security, combining technological advancements and user education, must also be emphasized. While efforts like manual review processes help mitigate risks, they may not be foolproof. From a long-term perspective, it is crucial to underscore the importance of establishing trust in app stores and ensuring the integrity of software repositories. These scams raiseconcerns about the decentralization of app distribution and the potential lack of oversight in open-source ecosystems. Could these scams be prevented or mitigated if the app distribution process were more centralized and regulated? Should there be stricter guidelines and audits for app developers? Our Final Thoughts on the Implications of These Snap Store Scams This article aims to provide valuable insights into the challenges faced by the Snap store in addressing cryptocurrency credential-stealing apps. The implications of these scams go beyond financial losses, bringing into question the trust and security of open-source software distribution. As security practitioners, we must remain vigilant and continually reassess our measures to protect users from emerging threats in the digital landscape. . Canonical takes action against scams in the Snap store by implementing manual evaluations to bolster security and safeguard user confidence in their applications.. Cryptocurrency Security, App Review Process, User Education, Digital Currency Risks. . Brittany Day
This article from The Hacker News presents a nerve-racking revelation about how cyber threat actors are adapting to the evolving digital landscape. . The hackers' skillful exploitation of the Linux privilege escalation flaw, termed "Looney Tunables," is both alarming and fascinating. As the article mentions, " the attacks revolve around exploiting a recently disclosed Linux privilege escalation flaw (CVE-2022-0847) to gain elevated privileges on the compromised systems "—a stark example of the threat actors' ability to rapidly harness nascent security flaws. Yet it's the apparent shift in strategy that grabs the most attention. Known for deploying malicious cryptocurrency miners, the Kinsing group’s focus on extracting cloud service provider credentials carries ominous implications. The article states, " Beyond establishing an initial foothold, the threat actor aims to extract credentials related to cloud service providers including Alibaba Cloud, Tencent Cloud, and Huawei Cloud. " Could this mean an expanding scope of their operations, possibly threatening the integrity of our cloud-native environment in the near future? All of this underscores the need for a proactive and anticipatory approach to cybersecurity. The evolving modus operandi of Kinsing is a reminder that the cyber threat landscape is dynamic, requiring us to upgrade and expand our defenses persistently. The twists in these cyber-attack strategies make the rest of this detailed article a captivating read for those of us on the constant quest to understand and outmaneuver cyber threats. The link for this article located at The Hacker News is no longer available. . The adept manipulation of the Windows vulnerability 'Sketchy Switches' by cybercriminals heightens worries regarding online safety.. Linux Security Flaw, Kinsing Malware, Cloud Security, Cyberattack Strategies. . Brittany Day
The ChatGPT-powered Blackmamba malware, which can operate on macOS, Windows, and Linux systems, works as a keylogger, with the ability to send stolen credentials through Microsoft Teams. . HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a new type of ChatGPT -powered malware named Blackmamba, which can bypass Endpoint Detection and Response (EDR) filters. This should not come as a surprise, as in January of this year , cybersecurity researchers at CyberArk also reported on how ChatGPT could be used to develop polymorphic malware. During their investigation, the researchers were able to create the polymorphic malware by bypassing the content filters in ChatGPT, using an authoritative tone. As per the HYAS Institute’s report (PDF), the malware can gather sensitive data such as usernames, debit/credit card numbers, passwords, and other confidential data entered by a user into their device. . Unveil the DarkSerpent virus engineered through AI, proficient in harvesting login data on diverse platforms.. Blackmamba Malware, AI Cyber Threats, Credential Theft Techniques. . LinuxSecurity.com Team
Threat actors now exploit the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices with the notorious Dridex banking trojan or Meterpreter. . The Dridex malware is a banking trojan originally developed to steal online banking credentials from victims. However, over time, the malware has evolved to be a loader that downloads various modules that can be used to perform different malicious behavior, such as installing additional payloads, spreading to other devices, taking screenshots, and more. Dridex infections are also known to lead to ransomware attacks from operations believed to be linked to the Evil Corp hacking group. These ransomware infections include BitPaymer, DoppelPaymer, and possibly other limited-use ransomware variants. . The Emotet malware shifted from data exfiltration to deploying ransomware through Conti exploits, presenting significant dangers.. Malware Infection, Online Banking Security, Threat Exploitation, Apache Log4j. . Brittany Day
The infamous cross-platform LemonDuck crypto-mining malware has continued to refine and improve upon its techniques to strike both Linux and Windows OSes by setting its sights on older vulnerabilities, while simultaneously latching on to a variety of spreading mechanisms to maximize the effectiveness of its campaigns. . "LemonDuck, an actively updated and robust malware that's primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations," Microsoft said in a technical write-up published last week. "Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity." The malware is notorious for its ability to propagate rapidly across an infected network to facilitate information theft and turn the machines into cryptocurrency mining bots by diverting their computing resources to illegally mine cryptocurrency. Notably, LemonDuck acts as a loader for follow-on attacks that involve credential theft and the installation of next-stage implants that could act as a gateway to a variety of malicious threats, including ransomware. The link for this article located at The Hacker News is no longer available. . LemonDuck malware impacts Windows and Linux, using advanced tactics to steal credentials and mine cryptocurrency.. LemonDuck Malware, Linux Security Threat, Crypto Mining Malware. . LinuxSecurity.com Team
Malicious actors are exploiting a new 'Dependency Confusion' vulnerability to target Amazon, Zillow, Lyft, and Slack NodeJS apps and steal Linux/Unix password files and open reverse shells back to the attackers. . Last month, BleepingComputer reported that security researcher Alex Birsan earned bug bounties from 35 companies by utilizing a new flaw in open-source development tools. This flaw works by attackers creating packages utilizing the same names as a company's internal repositories or components. When hosted on public repositories, including npm, PyPI, and RubyGems, dependency managers would use the packages on the public repo rather than the company's internal packages when building the application. . Cybercriminals take advantage of a recently discovered dependency confusion flaw to infiltrate large corporations and extract sensitive login information.. Dependency Confusion, NPM Security, Attack Vector, Credential Theft. . Brittany Day
Get the latest Linux and open source security news straight to your inbox.