Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found -2 articles for you...
83
cyber threatssecurity practicesnetwork monitoringSalt Typhoon Threat: Credential Management and Network Defense Strategies
Recent reports have revealed a sophisticated intrusion campaign conducted by Salt Typhoon, targeting major U.S. telecommunications providers. To safeguard against this emerging threat, Linux admins must understand Salt Typhoon's malicious methods: using stolen credentials, living-off-the-land techniques, and consistently changing network configurations to avoid detection while expanding access. . These tactics stress the importance of rigorous credential management practices, such as disabling unnecessary utilities and conducting regular configuration audits to protect networks against Salt Typhoon. Let's examine Salt Typhoon's attack methods in greater depth and discuss practical detection and prevention measures you can implement to safeguard your Linux environment. Credential Use and Expansion The Salt Typhoon group's recent increase in cyber intrusion activity has been a cause of alarm among the cybersecurity community and U.S. telecommunications providers. This threat actor excels at using valid stolen credentials to gain entry to key network infrastructure, further expanding their reach by gathering more credentials from network configurations. Doing so helps solidify their hold on networks once an initial breach occurs, making extrication increasingly difficult. To prevent credential management abuse and to mitigate this particular threat, it is vitally important that security admins engage in reliable credential management practices. This includes creating and using strong, unique passwords across users and systems, as well as updating them regularly and adding multi-factor authentication whenever feasible to add another layer of protection. Furthermore, consistent and proactive monitoring for unauthorized access attempts is imperative. Monitoring access logs and setting alerts can quickly identify and isolate potential breaches before they escalate further. Living-off-the-Land (LOTL) Techniques Salt Typhoon stands out by using living-off-the-land (LOTL) techniques toexploit existing legitimate tools and utilities within compromised networks, such as command line utilities, network management tools, or scripting environments already present on these systems. By doing this, they can minimize their footprint while remaining undetected by traditional detection mechanisms, allowing them to conduct malicious activities without raising immediate red flags. Administrators can counter these tactics by regularly reviewing and updating their network configurations, with an eye toward disabling unnecessary tools or services that could be exploited. Understanding which tools should run on each network device and then disabling or removing those that are unnecessary is key. Regular audits of system configurations and real-time monitoring will assist administrators in detecting and preventing LOTL techniques used in campaigns like Salt Typhoon. Infrastructure Pivoting and Persistence One of the hallmarks of the Salt Typhoon campaign is its persistent movement through compromised infrastructure. Once inside a network, an attacker meticulously modifies configurations and creates multiple access points to maintain control for extended periods. This technique allows the attackers to operate undetected, continuously siphoning data or planning new exploits. Implementing stringent network segmentation measures is key to mitigating persistent threats. like Salt Typhoon. breaking up a large network into separate and isolated segments, security teams can limit an attacker's lateral movement. Conducting thorough configuration audits regularly is also necessary. These audits should identify any unauthorized changes that might signal an attacker's presence on your network. Monitoring devices for sudden configuration changes can detect malicious activities quickly and respond swiftly to these activities. Recommendations for Detection and Prevention Protecting network infrastructure against sophisticated threat actors like Salt Typhoon requires an aggressive and comprehensiveapproach. Our recommendations for detection and prevention include robust configuration management, enhanced monitoring, and in-depth traffic analysis, as these are designed to detect early signs of compromise and stop attackers from reaching their goals. Robust Configuration Management and Auditing Security teams should undertake network device configuration audits regularly. They should check for unapproved changes such as AAA (Authentication, Authorization, and Accounting) configurations, loopback IP addresses, or newly created local accounts that could serve as targets for attackers looking to penetrate networks further. Adopting the principle of least privilege is also an integral security practice. Only users who need access to critical network devices should have it, minimizing opportunities for compromised accounts to be exploited by threat actors. Strong password policies and widespread multifactor authentication measures will significantly increase threat actors' difficulty in gaining and maintaining access. Enhanced Monitoring and Logging Effective detection relies on closely monitoring the syslog and AAA logs for any unusual activities or configuration changes that could indicate potential attacks and log changes. Modifying bash_history, auth.log, lastlog, wtmp, or btmp could indicate an attacker's attempt to cover up their tracks. Integrity logging across all network devices is vitally important. Automated systems can detect log tampering or gaps in logging data - often signs of malicious activity - while regularly checking for non-empty or unusually large.bash_history files may reveal evidence of illicit scripts being run. Network Traffic Analysis Establishing visibility of network traffic is essential to identifying and mitigating network threats. Utilizing tools like NetFlow for traffic analysis, port scanning, and monitoring for unusual volumetric changes are all helpful in pinpointing suspicious network activities. Profiling network devices to detect any changes,such as new ports opening, closing, or traffic patterns, could give early indications of breaches in security systems. Implementing stringent Access Control Lists (ACLs) is crucial to restricting unauthorized access and movement within a network, with regular monitoring for violations helping identify security gaps and address them quickly. Network segmentation helps contain threats more effectively by compartmentalizing potentially compromised sections into separate segments. Patching known vulnerabilities is also key to maintaining an effective security posture against threats like Salt Typhoon. Our Final Thoughts on Mitigating Salt Typhoon's Threat to Your Linux Environment Salt Typhoon's tactics demonstrate the necessity of adopting an integrated network security approach. From advanced credential management and disabling unneeded tools to network segmentation and ongoing configuration audits, Linux security administrators possess several strategies to prevent sophisticated intrusions from taking hold. By prioritizing such actions and cultivating a culture dedicated to security, network defenders can gain the upper hand against even persistent and skilled threat actors. Ultimately, vigilance, continuous improvement, and proactive mitigation are key in protecting critical network infrastructures from stealthy cyber threats like Salt Typhoon. . To combat threats like Salt Typhoon effectively, organizations should implement strong credential management, robust activity monitoring, and proper network segmentation to enhance security.. Cyber Intrusion Detection, Credential Management Techniques, Network Security Practices, Salt Typhoon Threat, LOtl Mitigation Techniques. . Brittany Day
Feb 24, 2025
•
Hacks/Cracks
83
security advisoryroot accessLinux serversAdvisory: Perfctl Crypto Mining Threat on Linux Servers
Security researchers have discovered a sophisticated strain of malware targeting Linux servers dubbed Perfctl. Its dual purpose is mining cryptocurrency and proxyjacking. . This malware exploits vulnerabilities while operating stealthily to avoid detection mechanisms, posing a significant risk to organizations relying on Linux-based infrastructures. In this article, I'll help you understand this threat, determine if you are at risk, and share advice for detecting and preventing infections. Let's begin by examining this malware and how it works. Understanding Perfctl Malware Perfctl malware has proven itself elusive and persistent over the years. Aqua Security researchers Assaf Morag and Idan Revivo state that its primary objective is running cryptocurrency mining and proxyjacking software on compromised Linux servers. Aqua Security researchers reported that Perfctl employs various sophisticated techniques to stay undetected while remaining persistent on infected machines. When Perfctl infiltrates a server, all resource-intensive activities immediately cease when a new user logs on. It is dormant until server traffic subsides again, thus avoiding detection by humans checking performance metrics periodically. When executed, Perfctl deletes its binary to cover its tracks before continuing as an invisible background service. The Attack Chain Perfctl Attack Chain (Source: Aqua Nautilus) Perfctl employs an effective and innovative attack chain. After exploiting a vulnerable Apache RocketMQ instance to deliver an initial payload known as "httpd," execution of this payload copies itself into the "/tmp" directory, launches another binary process, and deletes itself to mask its presence and avoid detection. Hence, its presence remains obscured until detection occurs later on. Perfctl takes advantage of a security flaw in Polkit ( CVE-2021-4043 or PwnKit) to gain root privileges and use them to deploy its primary payload: a cryptocurrency miner named perfcc and rootkit protectionagainst defense evasion. Some instances also download and execute proxyjacking software from remote servers, highlighting its dual nature. Evasion Mechanisms Perfctl uses several sophisticated evasion techniques to avoid detection and removal, including binary deletion. Upon execution, Perfctl deletes its initial binary file immediately - making it hard for security researchers to pinpoint its origin. Perfctl uses a rootkit to hide its processes and activities from system monitors and administrators, as well as fileless attack methods aimed at operating solely within memory, which help avoid traditional file-based antivirus and detection tools. Named "perfctl," the malware's name seeks to appear as a legitimate system process. Perf stands for Linux performance monitoring tool, while "ctl" is often seen in command-line tools like systemctl or timedatectl - giving an appearance of benignness to this dangerous code. Impact of an Attack A Perfctl attack can have grave repercussions that wreak havoc on affected systems and organizations, with cryptocurrency mining taking up significant system resources, leading to decreased performance and rising operational costs. Given its root access, malware could use this opportunity to exfiltrate sensitive data from compromised computers - creating severe security risks. Proxyjacking attacks also can take advantage of compromised systems to route malicious traffic and implicate victims in illegal activities. Perfctl's persistence mechanisms can cause extended operational downtime as organizations work to identify and mitigate its infection. Furthermore, for organizations governed by regulatory bodies such as HIPPA/FERPA regulations, successful Perfctl attacks could mean noncompliance with data security regulations - which could lead to severe legal and financial repercussions for noncompliance. What Countries & Sectors Are Affected by Perfctl? The Perfctl malware campaign has had a devastating effect on numerous countries and sectors worldwide, mostnotably in the US, Germany, and South Korea—three countries that heavily rely on Linux servers, particularly within cloud and enterprise environments. As these locations boast high computational demands due to widespread Linux server usage, they have become prime targets of Perfctl crypto mining and proxyjacking activities. Perfctl has targeted cryptocurrency and NFT platforms and the software development and publishing industries, specifically exploiting server resources for crypto mining purposes without being detected by users. These industries are particularly vulnerable because they often operate within Linux environments with open-source platforms and utilize developer forums and repositories as propagation methods. Hence, there is a need for enhanced cybersecurity measures in these industries to minimize its spread. Let's examine some measures developers and organizations can take to mitigate risk. Detection and Prevention Organizations need to implement comprehensive strategies to detect and prevent Perfctl attacks, which include adopting comprehensive detection tactics. This includes monitoring CPU usage for unexpected spikes or system slowdowns during idle periods, as these can indicate cryptocurrency mining activity, and employing rootkit detection and removal tools as well as network and host-based intrusion detection systems to monitor for abnormal activities and any attempts at unauthorized access. Prevention measures are also crucial. Ensuring regular updates and patches for systems and software helps address vulnerabilities like CVE-2021-4043 (PwnKit), which are gateways for malware entering systems. Implementing tight permissions to manage which files and binaries can be executed on the server is essential, as is disabling any services that could expose it to potential vulnerabilities. Network segmentation should be implemented to restrict an attacker's lateral movement within a network. Role-based access control (RBAC) should also be employed so only users who requireaccess can gain entry. These measures will significantly strengthen an organization's resilience against Perfctl threats. Our Final Thoughts on Combating the Perfctl Malware Threat Perfctl malware is a testament to the evolving complexity and sophistication of cyber threats targeting Linux servers. Perfctl poses a severe risk to organizations across various sectors by exploiting vulnerabilities while employing advanced evasion techniques. Monitoring system performance closely, updating security patches regularly, restricting file executions, and creating robust access controls are necessary measures against Perfctl attacks. As the digital landscape expands, so must our protection efforts against threats like Perfctl. . Trojanux malware breaches Windows flaws surreptitiously, compromising devices with ransomware threats and data exfiltration hazards.. Perfctl Malware,Crypto Mining,Linux Server Security,Cyber Threats,Security Evasion Techniques. . Brittany Day
Nov 26, 2024
•
Hacks/Cracks
83
malwarecybercrimepayment securityUncovering FASTCash Linux Malware: Detection & Prevention Strategies
As malware threats evolve to increasingly target Linux systems, admins and organizations must stay up-to-date on the latest Linux malware variants and strategies for detecting and preventing attacks. Security researcher HaxRob recently discovered a new Linux variant of the FASTCash malware , which targets payment switches to enable unauthorized ATM withdrawals. . To help you proactively prepare for this emerging threat, I'll explain the intricacies and targets of this stealthy malware variant and offer advice for detection and prevention. After all, when it comes to malware threats, an ounce of prevention is worth a pound of cure! Understanding FASTCash Linux Malware FASTCash malware, commonly associated with North Korean threat actors such as Lazarus Group, delivers its payload by targeting payment switch systems. ATM and PoS networks use these systems as critical infrastructure components. By exploiting their vulnerabilities, attackers can manipulate transaction messages that enable unauthorized cash withdrawals at ATMs. FASTCash has long targeted other operating systems, such as IBM AIX (referred to as FASTCash for UNIX) and Microsoft Windows. However, its discovery on Linux suggests an expansion in the capabilities of cybercriminals, opening up more targets while making defense against attacks more complex. How FASTCash Linux Malware Operates A recently identified Linux variant of FASTCash was discovered targeting payment switches running Ubuntu 20.04. Analysis has indicated that this malware was developed post-April 21, 2022, likely using virtualization technology like VMware hypervisor . While similar in function to its Windows counterpart, FASTCash's Linux counterpart offers slightly reduced capabilities yet retains key elements like intercepting and manipulating declined transaction messages. FASTCash malware, specifically the Linux variant, offers three key capabilities to its victims: transaction interception, fraudulent authorization, and currency manipulation. Thismalware targets user-space processes on payment switch servers to intercept messages relating to declined transactions for cardholder account numbers on a predefined list. By altering these intercepted messages, FASTCash can authorize transactions that should ordinarily be declined with random amounts of funds involved. Like its Windows variant, it mainly uses the Turkish Lira for currency manipulation efforts. FASTCash Linux Malware Operations (source: doubleagent.net) FASTCash Target Profile FASTCash malware attacks typically target banks and financial institutions, specifically those operating payment switch systems as targets of attack. Since payment switch systems serve as central hubs for routing and processing transaction flows, compromising them enables attackers to gain control of numerous transactions with significant financial gains for themselves. Banks hosting their switch applications on Linux servers have been attacked by malware that previously targeted Windows or Unix-based systems. The emphasis on interbank networks suggests an even broader attack against banking infrastructures. Strategies for Detecting FASTCash Malware Due to its complex and stealthy nature, FASTCash malware detection requires a multi-pronged approach. Effective strategies include network traffic monitoring, file integrity monitoring, and behavioral analysis. Network traffic monitoring involves suspicious transactions using specific currencies like the Turkish Lira and any unusual communication from payment switch servers to external destinations or command-and-control (C2) infrastructures. File integrity monitoring must focus on verifying checksums of critical software components on payment switch servers to detect unauthorized modifications and provide detailed audit logging of directories and files involved with transaction processing. Behavior analysis involves continuously monitoring running processes to detect unusual activities or resource consumption patterns indicative of malware andinspecting transaction logs for signs of tampering or fraudulent approval of transactions that are usually declined. Prevention Measures for Admins & Organizations Protecting against FASTCash Linux malware attacks involves simultaneously strengthening technological defenses and operational practices. Infrastructure hardening is essential. This includes ensuring that all software running on servers, such as payment switches, is up-to-date to prevent vulnerabilities and adhering to the principle of least privilege by restricting users' and services' access rights. Network segmentation is integral in keeping payment switch systems safe from general network traffic by isolating them behind strong firewalls and creating a Demilitarized Zone (DMZ) to limit direct access to internal servers. Multi-factor authentication (MFA) should be implemented to access critical systems, particularly those involving administrative privileges on payment switch servers. Regular security audits, comprising comprehensive assessments and penetration tests , can assist in identifying potential vulnerabilities to ensure compliance with pertinent financial regulations and cybersecurity standards. Training employees on cybersecurity awareness is also of utmost importance. Teaching staff members how to recognize phishing attempts and other social engineering tactics that could compromise systems and protocols is essential in preventing cyberattacks and breaches. Our Final Thoughts on Combating the Emerging FASTCash Linux Malware Variant The presence of a Linux variant of FASTCash malware marks an exponential escalation in cybercrime against financial institutions. By understanding its operating mechanisms and developing effective detection and prevention strategies against this new threat, organizations can strengthen their defenses against it and other sophisticated attacks. As with all cybersecurity challenges, being informed, vigilant, and proactive will allow organizations to reduce the risks this formidableadversary presents. . Exploring RansomWareX Windows exploits, their methodologies, affected platforms, and essential identification/mitigation techniques for system administrators.. FASTCash Malware,Linux Cybersecurity,Payment Switch Security,Malware Detection Strategies,Financial Cybercrime. . Anthony Pell
Oct 16, 2024
•
Hacks/Cracks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Explore top 10 tips to secure your open-source projects now. Read More