News: 0175191767

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Thousands of Linux Systems Infected By Stealthy Malware Since 2021

(Friday October 04, 2024 @05:20PM (msmash) from the security-woes dept.)


A sophisticated malware strain has infected thousands of Linux systems since 2021, [1]exploiting over 20,000 common misconfigurations and a critical Apache RocketMQ vulnerability, researchers at Aqua Security reported. Dubbed Perfctl, the malware employs advanced stealth techniques, including rootkit installation and process name mimicry, to evade detection. It persists through system reboots by modifying login scripts and copying itself to multiple disk locations. Perfctl hijacks systems for cryptocurrency mining and proxy services, while also serving as a backdoor for additional malware. Despite some antivirus detection, the malware's ability to restart after removal has frustrated system administrators.



[1] https://arstechnica.com/security/2024/10/persistent-stealthy-linux-malware-has-infected-thousands-since-2021/


Re: LOLZ! (Score:2)

by Tracy Reed ( 3563 )

"misconfigurations" If you use a trivially guessable root password or install sketchy vulnerable third party software all bets are off regardless of how good Linux is. But I bet that had they had SELinux enforcing or running fapolicyd (standard built in security features) they wouldn't have been hacked.

intrusion detection systems (Score:5, Informative)

by OrangeTide ( 124937 )

It's pretty important to have some intrusion detection system enabled on your Linux servers.

Tripwire is a classic but there are others like AIDE. You can also do some very limited detection using the distro's own package checksum tools.

Enabling kernel module signatures is easy these days and default on many distros. It keeps some really nasty business from being easily loaded.

Keeping people out in the first place is of course your best first line of defense. Sshguard or fail2ban is a good start, but there are lots of other options as well.

At the end of the day. Keep back-ups of important data, and wipe systems you suspect are compromised. If you feel that there is a firmware compromise, you will of course take that system completely out of service and replace it with new hardware.

Apache RocketMQ Gets Pwned and you blame Linux? (Score:2)

by Seven Spirals ( 4924941 )

Say what? Some shitty MQ doucheware gets hacked and somehow this is the fault of Linux? Uhm, I don't think so. Try re-writing these clickbait headlines with your thinking cap on.

Re: (Score:3)

by OrangeTide ( 124937 )

By Linux, do you mean Linux the kernel. Linux the industry/community. Individual Linux distros. Or system administrators of Linux servers?

The tools are there. Distros include them. And sysadmins are using the tools.

The blame lies with the vuln in Apache RocketMQ, which the summer makes clear in the first sentence.

But more broadly the blame lies with administrators responsible for mitigating and avoiding the impact of vulnerabilities on the systems they control. Nobody is going to take responsibility for you

Re: (Score:2)

by OrangeTide ( 124937 )

Well, RocketMQ uses root access for administration. So ... admins implicitly gave it permission to overwrite files.

If they used a distro that supports SELinux and setup ACLs attributes correctly, then over writting system files through some goofy cloud admin tool isn't really possible anymore.

There are distros that come correctly configured out-of-the-box with SELinux. Of course the security itself makes everything take extra steps and it's harder for sysadmins just cut-and-paste instructions off stackoverf

Re: (Score:1)

by geekmux ( 1040042 )

> Say what? Some shitty MQ doucheware gets hacked and somehow this is the fault of Linux? Uhm, I don't think so. Try re-writing these clickbait headlines with your thinking cap on.

Shut up. “Thousands of Windows systems infected with..” wouldn’t have even batted an eye, been accurate, and you know it. Headline is actually fine.

Re: (Score:3)

by Fly Swatter ( 30498 )

The headline leaves out the intrusion mechanism which is not Linux but actually a leaky Apache RocketMQ , there is something called Journalism of which details and specifics actually matter. This headline is a giant misdirect for stupid clickbait.

Re: (Score:1)

by Seven Spirals ( 4924941 )

Every accusation is a confession.

Simple (Score:2)

by PPH ( 736903 )

systemctl restart perfctl

Howabout other *Nix Systems? (Score:2)

by NoMoreACs ( 6161580 )

Obviously not Linux; but are other, *Nix Systems affected?

For example, macOS?

CrowdStrike would have prevented this (Score:2)

by Ed Tice ( 3732157 )

It's too bad they didn't use an intrusion detection and response solution.

Re: (Score:2)

by Vlad_the_Inhaler ( 32958 )

You are aware that CrowdStrike can also be used to "protect" Linux systems? And that there have been two outages relatively recently which had a lot in common with that Windows disaster a few months back? I think they support one Red Hat configuration and one Debian configuration, but expecting them to test their updates before distributing them appears to be overly optimistic.

Re: (Score:2)

by NoWayNoShapeNoForm ( 7060585 )

> It's too bad they didn't use an intrusion detection and response solution.

While also stopping every other bit of traffic passing through, to, and from your server. /s

CrowdStrike is an amazing effective traffic block tool. /s

I heard that CrowdStrike (Score:2)

by Tony Isaac ( 1301187 )

Has a solution for these kinds of problems.

Nobody ever ruined their eyesight by looking at the bright side of something.