The NSA has published some details about an undiscovered Linux malware that is currently used by a Russian intelligence service for targeted attacks.
The US security authorities equate with the attacker group. The group APT 28, which according to the Federal Government also belongs to the Russian intelligence with probability bordering on security, is held responsible by the BSI for the break. According to a press release from the FBI and NSA, a threat apperas to hack national security systems and customers of the defense industry if they use Linux. The authorities do not name any further or more specific goals.
One of the main tasks of the modular Linux malware is to communicate with the attackers command and control server. In a report Drovorub also serves as a kind of intermediary in the target network, through which the attacker can then reach other systems in the attacked network. Thanks to the upload and download functions, it is possible to exfiltrate sensitive data as well as to reload additional malicious codes. Drovorub also includes a shell module that allows attackers to remotely execute commands with root rights.
FBI and NSA Advise Linux Admins To Use 3.7 Kernel Version
With regard to preventive measures against the attackers invisible impact on Linux servers, the extensive statistic is kept very brief. The FBI and NSA advise admins to use the 8 year old kernel version and regularly use all available software updates. The 3.7 version can sign kernel modules and check the signature before loading to ensure that they are intact. Admins should configure their systems so that only modules with a valid signature can be loaded. The measures mentioned, as emphasized by the authorities in the report, hide and seek on the system, but not against the actual compromise that takes place before the kit is installed. Since the gateaways for targeted attacks can be very different from case to case, there is unfortunately no magic solution here.