info@thehackernews.com (The@The Hacker News
//
A new proof-of-concept rootkit, dubbed Curing, has been developed by ARMO researchers to demonstrate a significant security blindspot in Linux runtime security. This rootkit leverages the 'io_uring' interface, a Linux asynchronous I/O mechanism, to bypass traditional system call monitoring. This means that many existing security tools like Falco, Tetragon, and even Microsoft Defender are unable to detect malicious activity carried out using this method, leaving systems vulnerable to stealthy rootkit attacks. The vulnerability stems from the fact that io_uring allows user applications to perform actions without relying on standard system calls, rendering security tools that depend on system call monitoring ineffective.
io_uring was introduced in Linux kernel version 5.1 in March 2019, designed to improve I/O operation efficiency by using circular buffers (submission queue and completion queue) between the kernel and user space. However, ARMO's Curing rootkit exploits this mechanism to communicate with a command-and-control server, fetch commands, and execute them on the infected host without triggering traditional security alerts. This is achieved by performing operations using io_uring instead of direct system calls. ARMO's analysis found that popular Linux runtime security tools are blind to io_uring-based operations. This is because these tools rely heavily on system call hooking, a method bypassed by io_uring. While the security risks associated with io_uring have been acknowledged, as evidenced by Google's decision to limit its use across Android, ChromeOS, and its production servers due to its exploitation potential, a broader industry solution is still needed to address this Linux kernel blindspot effectively. Recommendations for detecting io_uring-based threats include monitoring for anomalous usage of io_uring, leveraging Kernel Runtime Security Instrumentation (KRSI), and identifying alternative hook points across the Linux stack. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.
The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat. Recommended read:
References :
@itpro.com
//
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.
The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025. Recommended read:
References :
Field Effect@Blog
//
References:
Blog
, Information Security Buzz
,
A new Linux malware strain, dubbed Auto-Color, has been identified by Palo Alto Networks, targeting universities and government organizations across North America and Asia. This previously undocumented backdoor employs advanced stealth tactics to evade detection and maintain persistence on compromised systems. The method used to originally deliver Auto-Color is currently unknown, however researchers have observed that it's often executed with unassuming file names like "door," "egg," or "log."
Once executed, Auto-Color installs a malicious library named libcext.so.2, disguised as the legitimate libcext.so.0 library, and copies itself to the /var/log/cross/auto-color system directory. If running with root privileges, the malware modifies the '/etc/ld.preload' file to achieve persistence. If not running with root privileges, it skips this step. Auto-Color grants malicious actors full remote access to compromised machines, making removal exceptionally difficult without specialized tools. Recommended read:
References :
|