Russian Malware Targets Linux, US Warns
The Russians are coming, again, this time with new malware targeting Linux systems, according to a U.S. advisory issued this week.
The FBI and the U.S. National Security Agency (NSA) dispatched a cybersecurity advisory on Thursday (Aug. 13) describing previously undisclosed malware targeting Linux dubbed “Drovorub”. The agencies pointed to a branch of Russia’s General Staff Main Intelligence Directorate, or GRU, as the source of the malware. The unit has also operated under the names “Fancy Bear” and APT28, as in “advanced persistent threat.”
According to the web site Threat Post, Drovorub’s espionage capabilities include stealing files and remotely controlling targeted computers. The U.S. advisory noted that the Russian malware toolset includes an implant coupled with a kernel model rootkit, which observers said makes detection difficult.
The U.S. advisory warns that Drovorub poses a particular threat to Defense Department and U.S. defense industrial base systems running the Linux kernel.
“To prevent a system from being susceptible to Drovorub’s hiding and persistence, system administrators should update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement,” the 39-page advisory states.
“Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system,” it continued.
Linux security flaws are hardly new. In 2016, for example, a vulnerability surfaced in an open source library component, affecting most Linux distributions and thousands of applications. More recently, cyber security firms have warned that the software supply chaindominated by open source code is becoming a conduit for injecting malware “upstream” that is then distributed “downstream” using trusted workflows and update mechanisms.
“One of the largest problems in the Linux community is that people tend to believe the hype that Linux is secure,” said Robert Meyers, channel solutions architect at One Identity, a privileged access management vendor.
“This tends to leave people not updating Linux as often as they should, or not completing the installations of kernel updates when they should,” Meyers added. “This type of attack is going to be more common than people realize. In other words, this is just one of many.”
Security experts also note that both Linux and Windows system require frequents updates as threats evolve. “If you already patch and protect your systems, [the U.S. cyber advisory] should not be anything more than an announcement to keep your eyes open,” Meyers said. “If you do not, it is time to change your practices.”