Interesting security advisory published by US Agency

Forum Forums News News Interesting security advisory published by US Agency

  • This topic has 11 replies, 6 voices, and was last updated Aug 15-11:22 am by christophe.
Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #40263
    Moderator
    ModdIt

    National Security AgencyFederal Bureau of Investigation Cybersecurity Advisory

    Attacks on Linux systems from the bad guys… Or maybe smokebomb because US spies on nobody.

    Includes detailed technical informationon on the Drovorub malware, guidance on how to detect Drovorub on infected systems, and mitigation

    https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

    #40269
    Member
    Xecure
    Helpful
    Up
    0

    Thanks, ModdIt. very interesting read.

    Some points for curious people who don’t have the time to check it out:

    What is Drovorub?

    Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 infrastructure (T1071.0011); file download and upload capabilities (T1041); execution of arbitrary commands as “root” (T1059.004); and port forwarding of network traffic to other hosts on the network(T1090). The kernel module rootkit uses a variety of means to hide itself and the implant on infected devices (T1014), and persists through reboot of an infected machine unless UEFI secure boot is enabled in “Full” or “Thorough” mode.

    […]

    Preventative Mitigations

    Apply Linux Updates. […] System administrators should update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement.
    Prevent Untrusted Kernel Modules. System owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system.[…]
    Activating UEFI Secure Boot is necessary to ensure that only signed kernel modules can be loaded.

    Hopefully, some day we can get Microsoft to accept antiX kernels (or at least MX kernels) and sign them as secure so we can use “Secure Boot”. Not much hope in this as most antiX is a small distro, with a small amount of users, and most of these users have no UEFI, as their computers are old (so most will not care).

    As a side note, Russian hackers are now targeting my country for our low security Remote Desktop Access standards (many companies have started to set up Remote Desktop Access for their workers, trying to avoid corona virus spreading in the company, promoting “tele-work”). Recently a company had to pay 10 million dollars to free their system from a Ransomware attack to Russian hackers.

    Also, this month a Massive Dump of intel files, sourcecode and information has spread on the web like wildfire, proving that they have a few backdoors set up for the USA “Intelligence” Agency.

    Will we ever be safe from illegal and “legal” hackers, spies and governments? The only solution is prevention.

    antiX Live system enthusiast.
    General Live Boot Parameters for antiX.

    #40276
    Member
    olsztyn
    Helpful
    Up
    0

    Not much hope in this as most antiX is a small distro, with a small amount of users, and most of these users have no UEFI, as their computers are old (so most will not care).

    If I am not mistaken even the new(er) computers with UEFI do not usually have secure boot turned on for convenience. I am not sure if secure boot is turned on when you buy a new laptop (typically with Windows) though. If my conjecture is true then new or old, still not using signed kernels.
    Therefore most of Linux installations seem affected unless you are lucky to run antiX with no persistence (Frugal or Live that is). Out of all Linux distros only antiX can be easily set with no persistence, so it is not really vulnerable to this malware – at least if it gets infected during session, reboot will return antiX to clean state. No permanent infection.
    Nothing beats antiX Frugal or Live for security…
    For similar reason the Live TENS (Trusted End Node System) published by Department of Defense should not be vulnerable across reboot and this one is recommended for remote use by military and government. It is available to public for download but I would still recommend antiX as much more convenient to use.

    • This reply was modified 1 year, 1 month ago by olsztyn.
    #40300
    Moderator
    ModdIt
    Helpful
    Up
    0

    Wanted to learn about Live TENS (Trusted End Node System) published by Department of Defense as mentioned by olstyn.
    Browser refuses to connect:

    Warning: Potential Security Risk Ahead
    Firefox Browser detected a potential security threat and did not continue to http://www.spi.dod.mil. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

    I think using live no persistence is good, better to use a read only media to boot with, padded and finalised so no space available for maximum protection against comprimise.

    @ xsecure, the TPM module is a black box with a mini OS. It is not trusted by government in many countrys because of concerns it can possibly be remotely used for access on a system with power supply available.

    • This reply was modified 1 year, 1 month ago by ModdIt. Reason: spelling
    #40316
    Member
    Xecure
    Helpful
    Up
    0

    @ xsecure, the TPM module is a black box with a mini OS. It is not trusted by government in many countrys because of concerns it can possibly be remotely used for access on a system with power supply available.

    I understand. But everyone is pushing for UEFI Secure Boot nowadays. I have seen many angry posts in mxforums about having to dissable Secure Boot, about how low and insecure this and similar distros are, that Ubunut/Linux Mint/pure Debian/PoP!OS/Fedora/openSuse/etc. are better because they think in the users security, etc.

    For this case, Drovorub, there are two options:
    A. DONT install kernel modules from the internet.
    B. Use UEFI Secure Boot
    As you can imagine, this is another reason people will push for Secure Boot.

    antiX Live system enthusiast.
    General Live Boot Parameters for antiX.

    #40321
    Moderator
    BobC
    Helpful
    Up
    0

    If I was to use a machine booted into frugal without persistence as a Browser appliance, what would be a good, safe and easy way to transfer selected files to my main system?

    In other words I want to be able to have both running, and the main one safe from potential risks, with me deciding what to send to it as needed. Most of the time I am just reading emails or searching and browsing sites, finding solutions, and grabbing snippets of code or files from various places.

    I would imagine lots of people have similar needs, usage and concerns.

    #40323
    Member
    olsztyn
    Helpful
    Up
    0

    If I was to use a machine booted into frugal without persistence as a Browser appliance, what would be a good, safe and easy way to transfer selected files to my main system?

    Even if your Live/Frugal is run with no persistence for resilience to unwanted changes, you can store data in Live-USB-Storage, created on Live/Frugals for such purpose.
    It is accessible from any system. There are many other ways as well.
    Principle is that this way you save only what you explicitly want to save. Nothing is saved under cover without your knowledge.

    • This reply was modified 1 year, 1 month ago by olsztyn.
    #40329
    Moderator
    caprea
    Helpful
    Up
    0

    Hopefully, some day we can get Microsoft to accept antiX kernels (or at least MX kernels) and sign them as secure so we can use “Secure Boot”.

    The point is that you have to pay a fee to microsoft and the safe boot for the distribution is up and running. Maybe I’m wrong, I think this is not necessarily the happy solution for everyone.
    By the way, i’m not even sure if it’s worth the money, i don’t have the necessary knowledge, but getting microsoft and security under one roof is a problem for me anyway.

    #40332
    Member
    olsztyn
    Helpful
    Up
    0

    By the way, i’m not even sure if it’s worth the money, i don’t have the necessary knowledge, but getting microsoft and security under one roof is a problem for me anyway.

    I am not sure of secure boot value for typical Linux users. As much as I would agree that it might be important for companies, where it is necessary to safeguard data however in general it seems more smoke and mirrors and not worth implementing across the board.
    If there are those ‘angry voices’ on MX forum, are those based on real need of users or just driven by publicity and formality of having this feature…
    Typically there is no such thing as ‘Public Opinion’. There is only ‘Published Opinion’, driven by agenda and politics.

    #40336
    Moderator
    caprea
    Helpful
    Up
    0

    There is certainly a big problem for people who have one of these boxes, mainly laptops, where secure boot cannot be turned off in Uefi . I hear that exists.
    Don’t buy one of those, maybe.

    #40338
    Member
    olsztyn
    Helpful
    Up
    0

    There is certainly a big problem for people who have one of these boxes, mainly laptops, where secure boot cannot be turned off in Uefi . I hear that exists.
    Don’t buy one of those, maybe.

    Indeed. I think such laptops are practically useless for anything but what was installed by manufacturer…

    #40339
    Moderator
    christophe
    Helpful
    Up
    0

    After reading the advisory & other articles referencing it, it looks like a state military hacking mechanism. For example:

    https://bunchofgood.com/post/626391717944377344/nsa-and-fbi-warn-that-new-linux-malware-threatens

    Thursday’s advisory didn’t identify the organizations Drovorub is targeting, or provide even broad descriptions of the targets or geographies where they’re located. It also didn’t say how the hackers are infecting servers. The group often relies on malicious spam or phishing attacks that either infect computers or steal passwords of targets. It also exploits vulnerabilities on devices that haven’t been patched.

    So, not to belittle security concerns in general, but — for a home-use computer — it seems to me to be business as usual.

    “The group often relies on malicious spam or phishing attacks… It also exploits vulnerabilities on devices that haven’t been patched.”

    This seems like internet security 101 basics to me.

    We have enough fear these days (IMHO).

    confirmed antiX frugaler, since 2018

Viewing 12 posts - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.