CyberSecurity news

FlagThis - #linux

@itpro.com //
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.

The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Full Disclosure: Qualys Security Advisory Three bypasses of Ubuntu's unprivileged user namespace restrictions.
  • The DefendOps Diaries: Understanding Security Bypasses in Ubuntu's Unprivileged User Namespaces
  • www.itpro.com: Qualys discovers three bypasses of Ubuntu's unprivileged user namespace restrictions
  • www.networkworld.com: Ubuntu namespace vulnerability should be addressed quickly: Expert
  • BleepingComputer: New Ubuntu Linux security bypasses require manual mitigations
  • bsky.app: Details of how Qualys identifies security byasses on Ubuntu
  • BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components.
  • securityonline.info: Ubuntu Security Alert: Three Ways to Bypass User Namespace Restrictions
  • BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components.
  • Cyber Security News: New Ubuntu Security Bypasses Allow Attackers to Exploit Kernel Vulnerabilities
Classification:
  • HashTags: #Ubuntu #Linux #Vulnerability
  • Company: Ubuntu
  • Target: Ubuntu systems
  • Product: Ubuntu Linux
  • Feature: security bypass
  • Type: Vulnerability
  • Severity: Medium
info@thehackernews.com (The@The Hacker News //
The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.

The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • securityonline.info: Outlaw Linux Malware: Persistent Threat Leveraging Simplicity
  • www.scworld.com: Additional details on Outlaw Linux cryptomining botnet emerge
  • Cyber Security News: Attackers aim to find zero-days in the PAN-OS gateways they can exploit.
  • The Hacker News: Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials.
Classification:
Field Effect@Blog //
A new Linux malware strain, dubbed Auto-Color, has been identified by Palo Alto Networks, targeting universities and government organizations across North America and Asia. This previously undocumented backdoor employs advanced stealth tactics to evade detection and maintain persistence on compromised systems. The method used to originally deliver Auto-Color is currently unknown, however researchers have observed that it's often executed with unassuming file names like "door," "egg," or "log."

Once executed, Auto-Color installs a malicious library named libcext.so.2, disguised as the legitimate libcext.so.0 library, and copies itself to the /var/log/cross/auto-color system directory. If running with root privileges, the malware modifies the '/etc/ld.preload' file to achieve persistence. If not running with root privileges, it skips this step. Auto-Color grants malicious actors full remote access to compromised machines, making removal exceptionally difficult without specialized tools.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Blog: Linux Systems Threated by New ‘Auto-Color’ Backdoor
  • Information Security Buzz: ‘Auto-Color’ Linux Malware Uses Advanced Stealth Tactics to Evade Detection
  • The Hacker News: New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems
Classification:
  • HashTags: #Linux #Malware #Backdoor
  • Company: Palo Alto Networks
  • Target: Universities, Government
  • Product: libcext.so
  • Feature: Persistence
  • Malware: Auto-Color
  • Type: Malware
  • Severity: Major