Bleedingtooth, Russians, and Penguins
Hi Everyone,
This week I have partnered with with a colleague. Josh Kozak wrote an awesome article.
-------------
Due
to the limited desktop use of Linux I always forget that there indeed exists
malware for Linux based systems. This coupled with the fact most distributions
of Linux have adopted popular security tools like SELinux, FirewallD, UFW or
Iptables baked right in for ease of use, it’s easy to feel safe and secure in a
Linux environment. However, recently two reports came as a reminder to update kernels
and detection rules. One of course being
a widespread Bluetooth vulnerability affecting the BlueZ library and the other
being the NSA report detailing the Drovorub malware tool for Linux systems.
BleedingTooth
Now
while that may seem to be a very specific set of circumstances for the
vulnerability to be taken advantage of, it’s important to remember that BlueZ
is also found on most Linux based IoT devices. This would allow attackers to
pick and choose their targets at leisure and through those devices gain access
to even greater network bounties. Being IoT devices it would also be a safer
bet that they may be missed on a sweep of system/kernel upgrades that occur and
could be running kernel versions that are vulnerable.
Intel
announced that upgrading your kernel to a version of 5.9 or higher will fix the
vulnerability from existing. They also released various patches for kernels in
case full kernel upgrades were not viable.
Drovorub
The
client gets installed on the targets system by the actor and then can receive
commands from the server and offer file transfer to/from the system it’s
installed upon. The client also gets packaged with the kernel module which
provides a rootkit based stealth ability to hide the client and kernel module
themselves. While the server and the agent are typically both installed on
infrastructure that the attacker controls themselves. The server keeps a
database store using MySQL for registration, authentication and tasking to the
agent. The agent receives commands from the server and its purpose is to mainly
upload and download files from the client and forward network traffic through
port relays.
To
defend against the drovorub malware it is recommended to update the Linux
kernel version to at least 3.7 or later. There are also rules for both network-based
and host-based detection that are available from the report as well. The report
also goes into memory analysis to help find any instances of the malware as
well.
The
fact that these tools are bundled together will make it easier for scripts to
be written that could potentially lead to targeting of older production systems
that may not be so assured to have working current backups. Also, when you look
at where Linux is mostly being used (business/production servers, industrial
PLCs and IoT devices) this leads one to think that originally these tools were
most likely created for industrial or commercial espionage. Add to the fact
that this all works for kernel versions much older than current would lead me
to believe there are far more malware tools out there that are just as
effective against newer Linux systems as well.
These
two reports had me pause and check what I was doing with my Linux system on my
laptop. I ran through a list of things from checking my kernel version to how
my Bluetooth service launched and ran. I even realized that the install I had
performed hadn’t really been configured with a firewall even. So, no matter how
secure your castle feels, it’s always a good idea to go out and check for
cracks in the foundation.