Linux users should not assume they are safe from the ambitions and reach of reputed Russian hacking group Fancy Bear, which has been using a newly disclosed malware toolset to establish a command-and-control connection with infected Linux systems.
Called Drovorub, the toolset essentially creates a backdoor that enables file downloads and uploads, the execution of arbitrary commands as root, and the port forwarding of network traffic to additional hosts on the network, the FBI and National Security Agency warned last week in a cybersecurity advisory, news release and fact sheet. The advisory describes the malware as an “implant coupled with a kernel module rootkit,” enhanced with additional components and modules.
It shouldn’t be a surprise that nation-state attackers are developing stealthy new weapons designed to compromise the Linux operating systems, which runs servers, supercomputers and litany of IoT devices found at home and in the workplace. Still, it’s sometimes easy for Linux users to let their guard down, thinking Windows remains the primary target.
“Keeping a system updated and fully protected isn’t specific to Windows-based environments,” said McAfee’s ATR Operational Intelligence Team in a company blog post. “Linux-based systems are widespread within many enterprise organizations, often operating outside the direct visibility of system administrators. Partly because of this low visibility, threat actors embrace the Linux Stack as an ideal hiding place and launch point for lateral movement. This makes keeping these environments updated and secure a high priority.”
With that in mind, the FBI and NSA have advised that Linux users update to Linux Kernel 3.7 or later “in order to take full advantage of kernel signing enforcement,” and to also active UEFI Secure Boot and “configure systems to load only modules with a valid digital signature, making it more difficult for an actor to introduce a malicious kernel module into the system.”
The most recent version of Linux to be released is 5.8.1.
“It’s important to note this Linux kernel – 3.7 – was retired in March 2013. If you’re keeping your Linux distros updated, then you should be spared any problems,” said Rosa Smothers, senior vice president of cyber operations at KnowBe4. “My primary concern is all the embedded systems using these older kernels; I suspect there are many out there that remain unaccounted for, thus vulnerable.” Examples of such embedded systems might be routers or smart home technology.
“If you already patch and protect your systems, this should not be anything more than an announcement to keep your eyes open. If you do not, it is time to change your practices,” said Robert Meyers, channel solutions architect at One Identity.
But means you have to motivate and mobilize Linux users to take preemptive action.
“One of the largest problems in the Linux community is that people tend to believe the hype that Linux is secure. This tends to leave people not updating Linux as often as they should, or not completing the installations of kernel updates when they should,” Meyers continued. But “There is no magic protecting any operating system. Someone will be trying to crack each and every one of them. Whenever updates are available, updates should be completed, using standard IT methodology.”
"The most important takeaway from the report is that Fancy Bear still has tricks up their sleeve with more tools and capabilities that are still being uncovered," said Adam Meyers, senior vice president of intelligence at CrowdStrike. "Another key takeaway is that many organizations have not invested in similar security tools for Linux as they have for other user platforms. They need to realize that Linux is just as vulnerable to malware as any other platform."
According to the FBI and NSA, Drovorub represents “a threat to National Security Systems, Department of Defense, and Defense Industrial Base customers that use Linux systems.”
The malware is comprised of four main components that run task-specific modules, and communication among the components takes place via a JSON-based message format, over the WebSocket protocol that operates via a TCP connection.
The Drovorub-server component resides on attacker infrastructure and enables C2 communication, leveraging a MySQL database to store data needed for registration, authentication, and tasking. The Drovorub-client module, meanwhile, sits on infected endpoints and receives commands from the server module. It enables file transfer, port forwarding, and remote shell capabilities, and is bundled with the Drovorub-kernel module, which grants “rootkit-based stealth functionality to hide the client and kernel module,” the advisory explains.
A fourth module, Drovorub-agent, acts similarly to the Drovorub-client, and is “likely to be installed on internet-accessible hosts or actor-controlled infrastructure,” the advisory says. It, too, can receives commands from the server, but there is remote shell capability or kernel module rootkit. The agent and client modules can’t communicate directly, but can they can interact indirectly via the server module.
Referring to the toolkit’s advanced evasion techniques, the FBI and NSA note that the Drovorub-kernel module “poses a challenge to large-scale detection on the host because it hides Drovorub artifacts [e.g. files, directories and processes] from tools commonly used for live-response at scale.”
To combat this threat, the advisory suggests such measures as network intrusion detection systems, probing, running security products, logging, live response, memory analysis and media disk image analysis.
McAfee specifically suggested scanning for rootkits, loading only known modules or disabling modules entirely, using Linux kernel Lockdown, enabling the SELinux security enhancement and more.
Mick Baccio, security advisor at Splunk, theorized in a blog post why the NSA and FBI decided now was the time to shed light on the Drovorub threat and its affiliation with Fancy Bear (aka APT 28 and Sofacy), which has been tied to Russia’s GRU intelligence agency. “The disclosure of Drovorub is a damaging setback because retooling is neither swift nor easy – even for a well-funded intelligence organization like the GRU,” he said. “This advisory is a digital equivalent of a shot across the bow. ‘We can see you, and we are watching.’”
Last month, researchers from Intezer disclosed its discovery of a Docker container attack that distributes a “fully undetectable” malicious backdoor for Linux-based cloud environments. As user organizations move more of their business infrastructure off premises, cybercriminals are becoming increasingly motivated to target Linux-based cloud environments.