Explore top 10 tips to secure your open-source projects now. Read More
×Security researchers have discovered a sophisticated strain of malware targeting Linux servers dubbed Perfctl. Its dual purpose is mining cryptocurrency and proxyjacking. . This malware exploits vulnerabilities while operating stealthily to avoid detection mechanisms, posing a significant risk to organizations relying on Linux-based infrastructures. In this article, I'll help you understand this threat, determine if you are at risk, and share advice for detecting and preventing infections. Let's begin by examining this malware and how it works. Understanding Perfctl Malware Perfctl malware has proven itself elusive and persistent over the years. Aqua Security researchers Assaf Morag and Idan Revivo state that its primary objective is running cryptocurrency mining and proxyjacking software on compromised Linux servers. Aqua Security researchers reported that Perfctl employs various sophisticated techniques to stay undetected while remaining persistent on infected machines. When Perfctl infiltrates a server, all resource-intensive activities immediately cease when a new user logs on. It is dormant until server traffic subsides again, thus avoiding detection by humans checking performance metrics periodically. When executed, Perfctl deletes its binary to cover its tracks before continuing as an invisible background service. The Attack Chain Perfctl Attack Chain (Source: Aqua Nautilus) Perfctl employs an effective and innovative attack chain. After exploiting a vulnerable Apache RocketMQ instance to deliver an initial payload known as "httpd," execution of this payload copies itself into the "/tmp" directory, launches another binary process, and deletes itself to mask its presence and avoid detection. Hence, its presence remains obscured until detection occurs later on. Perfctl takes advantage of a security flaw in Polkit ( CVE-2021-4043 or PwnKit) to gain root privileges and use them to deploy its primary payload: a cryptocurrency miner named perfcc and rootkit protectionagainst defense evasion. Some instances also download and execute proxyjacking software from remote servers, highlighting its dual nature. Evasion Mechanisms Perfctl uses several sophisticated evasion techniques to avoid detection and removal, including binary deletion. Upon execution, Perfctl deletes its initial binary file immediately - making it hard for security researchers to pinpoint its origin. Perfctl uses a rootkit to hide its processes and activities from system monitors and administrators, as well as fileless attack methods aimed at operating solely within memory, which help avoid traditional file-based antivirus and detection tools. Named "perfctl," the malware's name seeks to appear as a legitimate system process. Perf stands for Linux performance monitoring tool, while "ctl" is often seen in command-line tools like systemctl or timedatectl - giving an appearance of benignness to this dangerous code. Impact of an Attack A Perfctl attack can have grave repercussions that wreak havoc on affected systems and organizations, with cryptocurrency mining taking up significant system resources, leading to decreased performance and rising operational costs. Given its root access, malware could use this opportunity to exfiltrate sensitive data from compromised computers - creating severe security risks. Proxyjacking attacks also can take advantage of compromised systems to route malicious traffic and implicate victims in illegal activities. Perfctl's persistence mechanisms can cause extended operational downtime as organizations work to identify and mitigate its infection. Furthermore, for organizations governed by regulatory bodies such as HIPPA/FERPA regulations, successful Perfctl attacks could mean noncompliance with data security regulations - which could lead to severe legal and financial repercussions for noncompliance. What Countries & Sectors Are Affected by Perfctl? The Perfctl malware campaign has had a devastating effect on numerous countries and sectors worldwide, mostnotably in the US, Germany, and South Korea—three countries that heavily rely on Linux servers, particularly within cloud and enterprise environments. As these locations boast high computational demands due to widespread Linux server usage, they have become prime targets of Perfctl crypto mining and proxyjacking activities. Perfctl has targeted cryptocurrency and NFT platforms and the software development and publishing industries, specifically exploiting server resources for crypto mining purposes without being detected by users. These industries are particularly vulnerable because they often operate within Linux environments with open-source platforms and utilize developer forums and repositories as propagation methods. Hence, there is a need for enhanced cybersecurity measures in these industries to minimize its spread. Let's examine some measures developers and organizations can take to mitigate risk. Detection and Prevention Organizations need to implement comprehensive strategies to detect and prevent Perfctl attacks, which include adopting comprehensive detection tactics. This includes monitoring CPU usage for unexpected spikes or system slowdowns during idle periods, as these can indicate cryptocurrency mining activity, and employing rootkit detection and removal tools as well as network and host-based intrusion detection systems to monitor for abnormal activities and any attempts at unauthorized access. Prevention measures are also crucial. Ensuring regular updates and patches for systems and software helps address vulnerabilities like CVE-2021-4043 (PwnKit), which are gateways for malware entering systems. Implementing tight permissions to manage which files and binaries can be executed on the server is essential, as is disabling any services that could expose it to potential vulnerabilities. Network segmentation should be implemented to restrict an attacker's lateral movement within a network. Role-based access control (RBAC) should also be employed so only users who requireaccess can gain entry. These measures will significantly strengthen an organization's resilience against Perfctl threats. Our Final Thoughts on Combating the Perfctl Malware Threat Perfctl malware is a testament to the evolving complexity and sophistication of cyber threats targeting Linux servers. Perfctl poses a severe risk to organizations across various sectors by exploiting vulnerabilities while employing advanced evasion techniques. Monitoring system performance closely, updating security patches regularly, restricting file executions, and creating robust access controls are necessary measures against Perfctl attacks. As the digital landscape expands, so must our protection efforts against threats like Perfctl. . Trojanux malware breaches Windows flaws surreptitiously, compromising devices with ransomware threats and data exfiltration hazards.. Perfctl Malware,Crypto Mining,Linux Server Security,Cyber Threats,Security Evasion Techniques. . Brittany Day
A recent increase in attacks has been observed from the 8220 Gang, a cybercriminal group from China. The group has become notorious for infiltrating cloud-based infrastructure and exploiting vulnerabilities to mine cryptocurrency from Linux and Windows users. . How Do These Attacks Work & How Can I Mitigate My Risk? One of the most significant concerns surrounding these attacks is the group's use of well-known vulnerabilities, such as CVE-2021-44228 and CVE-2022-26134 , which poses a heightened risk to cloud security worldwide. The 8220 Gang identifies potential entry points through internet scans and exploits unpatched vulnerabilities to gain unauthorized access to cloud systems. This shift towards more sophisticated techniques is a critical evolution in cyber threats facing cloud infrastructure today. The implications of these attacks are far-reaching, affecting countless organizations that rely on cloud infrastructure. The group's use of tools, including Tsunami malware , XMRIG cryptominer, masscan, and spirit, allows them to deploy cryptocurrency miners on compromised Linux and Windows hosts. This poses significant risks to the integrity and performance of the affected systems and will enable cybercriminals to profit from unauthorized mining operations. Organizations must prioritize cloud security and adopt comprehensive strategies to protect against these advanced threats. This includes ensuring that all systems are regularly updated and patched , implementing robust security measures, and maintaining vigilance for any signs of compromise. As the 8220 Gang continues to evolve its strategies, the cybersecurity community must remain proactive in detecting and mitigating these threats. This situation raises several questions regarding the responsibility of organizations to ensure their cloud infrastructure remains secure, particularly in the wake of new and more sophisticated techniques used by cybercriminals. Companies need to invest in cybersecurity and prioritize responses toemerging cyber threats. Furthermore, the 8220 Gang's recent campaigns highlight the need for further collaboration and information sharing between international cybersecurity experts to prevent such attacks from becoming widespread. Our Final Thoughts on Combating This Increase in Attacks The 8220 Gang's recent escalation in attacks on both Linux and Windows users is concerning. Organizations must ensure all systems are regularly updated and patched and adopt robust security measures to protect against advanced threats. The cybersecurity community must remain proactive in detecting and mitigating these threats. Be sure to subscribe to our newsletters to stay up-to-date on critical news, trends, and advisories impacting the security of your Linux systems. . Uncover the techniques utilized by the 8220 Syndicate to leverage system flaws for cryptocurrency mining on both Linux and Windows platforms. Secure your devices!. Linux Security, Cloud Cybersecurity, Malware Threats, Cryptocurrency Mining, Cybersecurity Preparedness. . Brittany Day
The Kinsing malware is now actively breaching Kubernetes clusters by leveraging known weaknesses in container images and misconfigured, exposed PostgreSQL containers. . While these tactics aren't novel, Microsoft's Defender for Cloud team reports they have seen an uptick lately, indicating that the threat actors are actively looking for specific entry points. Kinsing is a Linux malware with a history of targeting containerized environments for crypto mining, using the breached server's hardware resources to generate revenue for the threat actors. The threat actors behind Kinsing are known for exploiting known vulnerabilities like Log4Shell , and, more recently, an Atlassian Confluence RCE to breach targets and establish persistence. . Cybercriminals are taking advantage of PostgreSQL deployments in Kubernetes, leveraging Kinsing malware for nefarious access.. Kubernetes Security, Linux Malware, Kinsing Threat, Container Exploit. . Brittany Day
A newly discovered evasive malware leverages the Secure Shell ( SSH ) cryptographic protocol to gain entry into targeted systems with the goal of mining cryptocurrency and carrying out distributed denial-of-service (DDoS) attacks. . Dubbed KmsdBot by the Akamai Security Intelligence Response Team (SIRT), the Golang-based malware has been found targeting a variety of companies ranging from gaming to luxury car brands to security firms. "The botnet infects systems via an SSH connection that uses weak login credentials," Akamai researcher Larry W. Cashdollar said. "The malware does not stay persistent on the infected system as a way of evading detection." The link for this article located at The Hacker News is no longer available. . A recently identified malware, named KmsdBot, exploits the SSH protocol to conduct cryptocurrency mining and execute DDoS assaults, focusing on a range of corporate entities.. KmsdBot, Crypto Mining, DDoS Attack, Malware Threat, SSH Exploit. . LinuxSecurity.com Team
Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware. . Cybersecurity company Trend Micro said it found the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable operating system (OS) security features such as Security-Enhanced Linux ( SELinux ), and others. The operators behind the Kinsing malware have a history of scanning for vulnerable servers to co-opt them into a botnet, including that of Redis , SaltStack , Log4Shell, Spring4Shell, and the Atlassian Confluence flaw (CVE-2022-26134). The link for this article located at The Hacker News is no longer available. . Fortinet uncovers BlackMatter ransomware targeting VMware and Microsoft SQL Server for data encryption.. WebLogic Exploit, Cyber Threats, Cryptocurrency Mining, Kinsing Malware, Docker API Security. . LinuxSecurity.com Team
Akamai Security Research is lifting the public embargo on "Panchan", a new peer-to-peer botnet they are warning customers about that has been breaching Linux servers since March. . Panchan is a Linux botnet that is written in the Go programming language and leverages Golang's concurrency for maximizing its effectiveness of spreading and executing malware modules. Panchan additionally relies on memory-mapped files to avoid detection via on-disk presence while also reportedly stopping its crypto-mining processes when detecting process monitoring. While this botnet performs crypto-mining, there is also a "god mode" baked into this malware as well. Panchan is also made persistent by copying itself to /bin/systemd-worker and creating a systemd service to try to appear as a legitimate systemd service. Looking for "systemd-worker" is one of the ways to detect the possible presence of this Linux botnet on your system. The link for this article located at Phoronix is no longer available. . Panchan employs various persistence techniques leveraging Golang's concurrency to maintain control over compromised systems, enhancing its threat level in cybersecurity.. Linux Botnet, Golang Malware, Systemd Service, Crypto Mining. . LinuxSecurity.com Team
Have you heard about the attack campaign that is targeting Docker users with cryptocurrency mining malware via exposed APIs? . Hackers are attempting to compromise Docker servers en masse via exposed APIs in order to spread cryptocurrency mining malware, according to researchers. Aqua Security claimed to have tracked the organized campaign for several months, revealing that thousands of attempts to hijack misconfigured Docker Daemon API ports are taking place almost every single day. “In this attack, the attackers exploit a misconfigured Docker API port to run an Ubuntu container with the kinsing malicious malware, which in turn runs a cryptominer and then attempts to spread the malware to other containers and hosts,” it explained. . Cybercriminals are increasingly exploiting Docker containers by taking advantage of unsecured APIs to deploy crypto-mining malware.. Docker Security, Crypto Malware, Container Exploits, API Vulnerabilities. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.