CyberSecurity news

FlagThis - #Linux

Bill Toulas@BleepingComputer //

ClickFix Attacks Targeting Linux Systems - The new cyber espionage campaign 'ClickFix' is targeting Linux systems by exploiting vulnerabilities, marking a shift in focus by APT36, involving precision attacks and stealth.
A new cyber espionage campaign dubbed "ClickFix" is actively targeting Linux systems, marking a concerning shift in focus for threat actors. This campaign, characterized by its precision and stealth, is not a generic, scattershot attack, but rather a calculated effort by groups like APT36, known for their cyberespionage capabilities. Attackers are exploiting vulnerabilities within Linux environments, highlighting the increasing sophistication and reliance on Linux by critical infrastructure and enterprises worldwide. The rise of ClickFix attacks serves as a wake-up call, demonstrating that attackers are now willing to go deeper and target smarter, making it harder for administrators who may have previously felt secure with standard hardening measures.

The core technique of ClickFix attacks involves social engineering to deceive users into executing malicious commands. Attackers have utilized websites that mimic legitimate entities, such as India’s Ministry of Defence, to lure victims. When users visit these sites, they are profiled based on their operating system and redirected to a tailored attack flow. On Linux, this often involves presenting a CAPTCHA page that, when interacted with, copies a shell command to the user’s clipboard. The user is then instructed to execute this command, which can lead to the installation of malware. The command used in these attacks drops a payload on the target system, which, in its current form, fetches a JPEG image from the attacker’s server.

APT36 is reportedly linked to Pakistan and has been known to use sophisticated social engineering tactics to target Indian entities. Historically, APT36 primarily targeted Windows-based environments, but the ClickFix campaign signals a significant evolution in their strategy. This group focuses heavily on espionage, collecting information from government agencies, academic institutions, and defense sectors. What distinguishes APT36 from other advanced persistent threats is its knack for exploiting tools and techniques that leave systems vulnerable without raising immediate alarms. The cross-platform nature of ClickFix attacks, which now include Linux, highlights their versatility and the need for robust defensive measures.

Recommended read:
References :
  • linuxsecurity.com: A new campaign, slyly dubbed ''ClickFix,'' is burrowing into Linux environments. It's not some generic, scattershot attack; this is precise, calculated work by APT36, a group making waves with its knack for cyberespionage.
  • The DefendOps Diaries: The Rising Threat of ClickFix Attacks on Linux Systems
  • BleepingComputer: Hackers now testing ClickFix attacks against Linux targets
  • www.scworld.com: New ClickFix attacks seek to compromise Windows, Linux systems
  • The DefendOps Diaries: The ClickFix Attack: Unmasking the Fake CAPTCHA Deception
  • securityaffairs.com: Security researchers found that the iClicker website was compromised with a ClickFix attack, a type of social engineering attack using fake CAPTCHA tests to distribute malware.
  • www.bleepingcomputer.com: The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices.
@betanews.com //

Linux io_uring Interface Security Blindspot for Rootkit Attacks - A security gap in Linux runtime security, caused by the 'io_uring' interface, allows rootkits to operate undetected while bypassing advanced Enterprise security software, as demonstrated by ARMO's proof-of-concept rootkit Curing.
A new proof-of-concept rootkit, dubbed Curing, has been developed by ARMO researchers to demonstrate a significant security blindspot in Linux runtime security. This rootkit leverages the 'io_uring' interface, a Linux asynchronous I/O mechanism, to bypass traditional system call monitoring. This means that many existing security tools like Falco, Tetragon, and even Microsoft Defender are unable to detect malicious activity carried out using this method, leaving systems vulnerable to stealthy rootkit attacks. The vulnerability stems from the fact that io_uring allows user applications to perform actions without relying on standard system calls, rendering security tools that depend on system call monitoring ineffective.

io_uring was introduced in Linux kernel version 5.1 in March 2019, designed to improve I/O operation efficiency by using circular buffers (submission queue and completion queue) between the kernel and user space. However, ARMO's Curing rootkit exploits this mechanism to communicate with a command-and-control server, fetch commands, and execute them on the infected host without triggering traditional security alerts. This is achieved by performing operations using io_uring instead of direct system calls.

ARMO's analysis found that popular Linux runtime security tools are blind to io_uring-based operations. This is because these tools rely heavily on system call hooking, a method bypassed by io_uring. While the security risks associated with io_uring have been acknowledged, as evidenced by Google's decision to limit its use across Android, ChromeOS, and its production servers due to its exploitation potential, a broader industry solution is still needed to address this Linux kernel blindspot effectively. Recommendations for detecting io_uring-based threats include monitoring for anomalous usage of io_uring, leveraging Kernel Runtime Security Instrumentation (KRSI), and identifying alternative hook points across the Linux stack.

Recommended read:
References :
  • Talkback Resources: ARMO researchers identified a blind spot in Linux runtime security tools caused by the io_uring interface, leading to the development of the Curing rootkit and highlighting the need for enhanced monitoring solutions compatible with new Linux kernel features.
  • The DefendOps Diaries: Addressing Security Challenges in Linux's io_uring Interface
  • The Hacker News: New Linux Rootkit Exploits io_uring, Evades Detection ARMO’s Curing rootkit uses io_uring to bypass system call monitoring—Falco, Tetragon, and even Microsoft Defender can’t see it. Attackers can run commands without triggering system calls.
  • BleepingComputer: Linux 'io_uring' security blindspot allows stealthy rootkit attacks
  • The Hacker News: Linux io_uring PoC Rootkit Bypasses System Call-Based Threat Detection Tools
  • Schneier on Security: The company has released a working rootkit called “Curing†that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market.
  • sysdig.com: Detecting and Mitigating io_uring Abuse for Malware Evasion
  • poliverso.org: Poliverso Discusses the Rootkit for Linux
  • www.scworld.com: Clandestine rootkit compromise possible with Linux io_uring interface issue
  • betanews.com: Hackers bypass Linux security with ARMO Curing rootkit
  • www.csoonline.com: Proof-of-concept bypass shows weakness in Linux security tools, claims Israeli vendor
  • Anonymous ???????? :af:: New Linux Rootkit Exploits io_uring, Evades Detection ARMO’s Curing rootkit uses io_uring to bypass system call monitoring—Falco, Tetragon, and even Microsoft Defender can’t see it. Attackers can run commands without triggering system calls.
  • Anonymous ???????? :af:: New Linux Rootkit Exploits io_uring, Evades Detection ARMO’s Curing rootkit uses io_uring to bypass system call monitoring—Falco, Tetragon, and even Microsoft Defender can’t see it. Attackers can run commands without triggering system calls.
  • securityonline.info: Critical Flaw Exposes Linux Security Blind Spot: io_uring Bypasses Detection
  • Techlore: Linux Security Alert: "Armo Curing" Rootkit 🚨 Security researchers have discovered a new rootkit targeting Linux systems that can bypass security measures by exploiting the Linux kernel directly.
info@thehackernews.com (The@The Hacker News //

OUTLAW Linux Botnet Expands with SSH Brute Force - The OUTLAW Linux botnet is expanding via SSH brute force, maintaining a persistent crypto miner on compromised systems by exploiting weak credentials and manipulating SSH keys.
The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.

The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat.

Recommended read:
References :
  • securityonline.info: Outlaw Linux Malware: Persistent Threat Leveraging Simplicity
  • www.scworld.com: Additional details on Outlaw Linux cryptomining botnet emerge
  • Cyber Security News: Attackers aim to find zero-days in the PAN-OS gateways they can exploit.
  • The Hacker News: Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials.
@itpro.com //

Ubuntu Unprivileged User Namespace Restrictions Bypasses Discovered - Qualys security researchers discovered three security bypasses in Ubuntu Linux’s unprivileged user namespace restrictions, potentially enabling a local attacker to exploit vulnerabilities in kernel components.
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.

The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025.

Recommended read:
References :
  • Full Disclosure: Qualys Security Advisory Three bypasses of Ubuntu's unprivileged user namespace restrictions.
  • The DefendOps Diaries: Understanding Security Bypasses in Ubuntu's Unprivileged User Namespaces
  • www.itpro.com: Qualys discovers three bypasses of Ubuntu's unprivileged user namespace restrictions
  • www.networkworld.com: Ubuntu namespace vulnerability should be addressed quickly: Expert
  • BleepingComputer: New Ubuntu Linux security bypasses require manual mitigations
  • bsky.app: Details of how Qualys identifies security byasses on Ubuntu
  • BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components.
  • securityonline.info: Ubuntu Security Alert: Three Ways to Bypass User Namespace Restrictions
  • BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components.
  • Cyber Security News: New Ubuntu Security Bypasses Allow Attackers to Exploit Kernel Vulnerabilities
Field Effect@Blog //

New Linux Malware Auto-Color Targets Governments - Palo Alto Networks identified Auto-Color, a new Linux malware strain targeting universities and government offices with advanced stealth techniques for remote access.
A new Linux malware strain, dubbed Auto-Color, has been identified by Palo Alto Networks, targeting universities and government organizations across North America and Asia. This previously undocumented backdoor employs advanced stealth tactics to evade detection and maintain persistence on compromised systems. The method used to originally deliver Auto-Color is currently unknown, however researchers have observed that it's often executed with unassuming file names like "door," "egg," or "log."

Once executed, Auto-Color installs a malicious library named libcext.so.2, disguised as the legitimate libcext.so.0 library, and copies itself to the /var/log/cross/auto-color system directory. If running with root privileges, the malware modifies the '/etc/ld.preload' file to achieve persistence. If not running with root privileges, it skips this step. Auto-Color grants malicious actors full remote access to compromised machines, making removal exceptionally difficult without specialized tools.

Recommended read:
References :
  • Blog: Linux Systems Threated by New ‘Auto-Color’ Backdoor
  • Information Security Buzz: ‘Auto-Color’ Linux Malware Uses Advanced Stealth Tactics to Evade Detection
  • The Hacker News: New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems

Posts

Blogs

Research Tools