@itpro.com
//
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.
The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025. References :
Classification:
info@thehackernews.com (The@The Hacker News
//
The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.
The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat. References :
Classification:
Field Effect@Blog
//
A new Linux malware strain, dubbed Auto-Color, has been identified by Palo Alto Networks, targeting universities and government organizations across North America and Asia. This previously undocumented backdoor employs advanced stealth tactics to evade detection and maintain persistence on compromised systems. The method used to originally deliver Auto-Color is currently unknown, however researchers have observed that it's often executed with unassuming file names like "door," "egg," or "log."
Once executed, Auto-Color installs a malicious library named libcext.so.2, disguised as the legitimate libcext.so.0 library, and copies itself to the /var/log/cross/auto-color system directory. If running with root privileges, the malware modifies the '/etc/ld.preload' file to achieve persistence. If not running with root privileges, it skips this step. Auto-Color grants malicious actors full remote access to compromised machines, making removal exceptionally difficult without specialized tools. References :
Classification: |