hpr-knowledge-base/hpr_transcripts/hpr3240.txt

Episode: 3240
Title: HPR3240: Linux Under Attack
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3240/hpr3240.mp3
Transcribed: 2025-10-24 19:23:16

---

This is Haka Public Radio episode 3244 for Friday the 1st of January 2021.
Today's show is entitled, Linux under attack and in part on the series, privacy and security.
It is the 210 show on our UK and is about 16 minutes long and carries a clean flag.
The summary is a look at how malware is outargeting Linux, especially servers.
This episode of HPR is brought to you by archive.org.
Support universal access to all knowledge by heading over to archive.org forward slash donate.
Hello, this is Huka, welcoming you to Hacker Public Radio and another exciting episode.
This is going to be part of our security series, security and privacy.
And this one I'm giving the title, Linux under attack.
And the idea here is that there's no such thing as software without vulnerabilities.
So it follows that Linux, while in some ways more secure than alternatives like Windows,
is nonetheless vulnerable to attack.
Now, until recently, Linux was to some degree protected by security through obscurity,
which is to say that as a fringe all-ass, it was not worth investing much effort into attacking it.
But things have changed. Linux is winning the data center at the cloud and the desktop.
Consider the data.
And I have links in the show notes to back this up.
Linux is the most used operating system on Microsoft's Azure platform.
Now, Azure is Microsoft's cloud offering, sort of similar to what Amazon offers or other cloud hosting services.
And Linux is used more than anything on Microsoft's own cloud platform.
Linux has etched out Windows for serving websites.
Android, which is a Linux variant OS, is the most used OS in the world, beating out Windows.
And a Linux-based operating system powers the popular Chromebooks.
So there's no longer anything obscure about Linux.
And we should expect to see attacks against it and vulnerabilities being exploited,
and indeed we do.
And now, quote from the article, link in the show notes from ZDNet,
there is still a dangerous assumption among many that malware is only a problem for Windows
that might have been more believable a decade or two ago.
But the reality is that any computer system that builds up significant market share
or plays host to valuable data will now be a target.
Linux is increasingly the foundation of many different business systems and vast parts
of the cloud. While there are still relatively few threats targeting Linux,
there's no reason why that should remain the case.
Now, the most serious attacks against Linux are against servers, of course, because Linux is
so dominant in the cloud. So I just want to kind of run through some of these and see what we
can learn by taking a look at this. The first one I want to talk about is something called E-Berry.
Now, E-Berry is an SSH attack. SSH stands for Secure Shell, and it is the more secure replacement
for the terribly insecure telnet. It's a way for computers to talk to each other.
And we discussed it previously in our SSH introduction and then following SSH episodes and I
put a link to the first one in the show notes. Open SSH is the open source implementation of
this protocol and is the de facto standard on all Linux distros. The ability to breach SSH
gives you access to the server and potentially to anything on the server. That makes open SSH a
prime candidate for attacks. Now, one of the early attacks was discovered by researchers at ESET.
That's a security research firm. They helped to disrupt a botnet of 25,000 servers that were
infected with an open SSH-based backdoor and credential stealer named E-Berry. March 2017,
Maxim Senak, a Russian, pled guilty for his role in the creation of the E-Berry malware
and for maintaining its infamous botnet, though he was just one member of the group.
This malware included a root kit to persist through reboots and a backdoor to give the criminals access.
And once they got in, they started stealing credentials and then used the botnet for things
like traffic redirects and email spam. A fine as far as it goes, then a gentleman,
I use the term loosely, Donald Austin from Florida, managed to install this malware on the
kernel.org servers. You may remember when that happened. It was quite a thing in the news.
Now, one result of all of this is that the researchers at ESET started to systematically look
for open SSH vulnerabilities. And when they looked, they found more. One of the first clues that
they would find things is that the E-Berry software would do a check for other SSH malware installs
before it installed itself. Their search revealed an entire ecosystem that included 12 new
families of malware not previously documented. For a more detailed look at all of these
vulnerabilities, there's a research white paper from ESET called The Dark Side of the Forge.
Now, that's a pun in the title instead of Forse. It's F-O-R-S-S-H-E.
Now, interestingly, there are some common features to all of the malware that they studied.
Despite the fact that each one was on a different codebase. Now, they all had hard-coded credentials
to enable backdoor access and mechanisms to steal credentials. And when the credentials were
stolen, they were always stored locally in a file. Now, if that were all, the criminals would then
have to log in using their backdoor credentials and infiltrate the file in some way.
But some of the malware had provisions to push the file out through the network.
And I quote from an article in HelpNet Security, interestingly, those backdoors were also
the most complex ones. Not one was based on publicly available source code, the researchers found.
X filtration techniques for stolen SSH credentials are creative and include SMTP,
mail sent to the malicious operator, HTTP, DNS, and even custom protocols using TCP and UDP.
Now, the best protection against these attacks is to not rely on passwords to authenticate SSH
logins. Things like two-factor authentication and encryption keys provide much higher security.
And you should always disable SSH logins for the root account. Instead, create a user with admin
privileges, whose username is not easily guessed by an attacker. And I'll have a little more to
say about this at the end. Now, the next one I want to talk about is something called Drovorub.
This software appears to be the work of Russian hacker group APT-28, which is a group operating
from the Russian military's GRU Intelligence Unit. It is a multi-component piece of malware targeting
Linux systems. I'm going to quote this time from NSA's press release. Drovorub is a Linux malware
toolset consisting of an implant coupled with a kernel module root kit, a file transfer and
port forwarding tool and a command and control server. When deployed on a victim machine, Drovorub
provides the capability for direct communications with actor-controlled C2 infrastructure.
File download and upload capabilities. Execution of arbitrary commands, port forwarding of network
traffic to other hosts on the network and implements hiding techniques to evade detection.
And C2, when you hear that, just needs command and control.
The root kit capabilities allow it to not only evade detection, but to survive through
system restarts and many anti-well malware measures. We know us from this Russian source because
they reused a command and control server identified in previous APT-28 operations.
The precise target is not known right now, but could be anything from industrial espionage to
election interference. There is some detailed guidance on remediation measures in a PDF and I
put a link in the show notes that is written up by the NSA and the FBI. So if you want to learn
more about what you can do, check the show notes and download that PDF.
Now I am going to quote again from a ZDNet article. Drovorub is a Swiss Army knife of capabilities
that allows the attacker to perform many different functions, such as stealing files and remote
controlling the victim's computer. And they are quoting McAfee CTO Steve Grobeman.
And he goes on to say in addition to Drovorub's multiple capabilities, it is designed for stealth
by utilizing advanced root-cut technologies that make detection difficult, the McAfee exec added.
The element of stealth allows the operatives to implant the malware in many different types of
targets, enabling an attack at any time. Now all of these articles again links in the show notes.
Now Lucifer DDoS. This malware is a crypto-jacking and DDoS attack that originally
attacked vulnerabilities in software such as Regetto HTTP file server, Jenkins, Oracle web logic,
Drupal, Apache struts, Laravel and Windows. The list of targets is fairly long, but now we can add
Linux to that list. The fact that it can run, and I am quoting from bleepingcomputer.com,
the fact that it can run on Linux-based systems means that it can potentially compromise and make
use of high-performance high bandwidth servers in internet data centers. With each node packing a
larger punch in terms of DDoS attack capacity, than is typical of most bots running on Windows or
IoT-based Linux devices, the Netskout researchers explained.
LemonDuck. This is another SSH attack malware. It scans the internet for machines listening to
port 22 for logins, then launches a brute force attack using the user name root. We've already
talked about why you should disable that. Then uses a list of passwords to try. If it gets into
a system, it employs all the usual tricks such as running crime jobs to aid persistence,
and scanning for other Linux systems by taking login data from the slash dot SSH slash known
underscore hosts file. And there's Fritzfrog. Fritzfrog is yet another SSH attacker with the
wrinkle that it's based on a peer-to-peer network rather than a command and control server network.
It's basically a combination of a botnet and a crypto miner. It looks reports 22 and 22, 22,
and if it gets in, it adds its own SSH public key to the authorized keys file.
So, this is just a selection to illustrate the point that Linux does face some challenges here.
Now, does that mean Linux is not more secure? Not exactly. Linux certainly can be more secure
because the code is open and can be fixed by anyone. The idea that trying to keep code secret
breeds security has been thoroughly disproven by the many attacks on proprietary systems.
The bad guys will find the vulnerabilities. It's only the researchers that are hampered.
But in reading the accounts of many of these attacks, I was struck by how often I heard something
like this vulnerability was patched but, or this attacks older versions of,
okay, it does no good to create patches if SSH admins don't apply them.
Now, I personally apply all patches as soon as I get them on my home network.
Now, there's a chance that a patch might cause a problem, though I cannot think of an occasion
where that happens to me. But not applying the patches makes me subject to a known vulnerability.
Now, that's a home network. In a corporate data center, the appropriate procedure would be to install
the patches on a test server right away and run the appropriate tests with an aim of installing
the patches as soon as possible on your production servers. Remember, until the patches are applied,
you have a known vulnerability there. Next, we mentioned not giving the root account SSH login
capabilities. Now, this is only one case of the general principle of disabling default logins.
And particularly in this time when so many devices or network connected, even when there's no
compelling reason to be, you don't want to have the default admin account enabled.
They're actually botnets of light bulbs now because of hard-coded login accounts.
And this one change reduces your attack surface. And while it may not guarantee you won't be attacked,
it reduces your chances. Many of these malware attacks are just looking for easy pickings.
And if your machine is not the easy one, they'll just move on to other machines.
And if there's one thing that you really want to take out of this about default admin logins,
the most serious one that most people have is their home router.
You know, whether it's a Wi-Fi or Ethernet or a combo or whatever, routers ship with default logins.
And malware searches for them. And so the very first thing you should do is you should go in,
you should delete that account, create a different account where only you know the name
and give that account the admin capability. You know, that one thing would protect more
home networks than anything else I can think of.
Now finally, a lot of these attacks leverage problems with SSH.
If you are assisted in, learn how to use SSH safely.
I mentioned that we've done a few shows about that on Hector Public Radio.
But I want to mention a book, a friend of mine, a fellow named Michael W. Lucas,
just released the second edition of this book, SSH Mastery. Open SSH, Puddy Tunnels and Keys.
And I think this is the best book out there. And it's where I go when I want to learn more about SSH.
And I've put a link in the show notes. I recommend the book very highly.
So this is a hook up for Hector Public Radio signing off and as always,
encouraging to support Free Software. Bye-bye.
You've been listening to Hector Public Radio at HectorPublicRadio.org.
We are a community podcast network that releases shows every weekday Monday through Friday.
Today's show, like all our shows, was contributed by an HBR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
Hector Public Radio was founded by the Digital Dove Pound and the Infonomicom Computer Club.
And it's part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly, leave a comment on the website
or record a follow-up episode yourself. Unless otherwise stated,
today's show is released on the Creative Commons,
Attribution, ShareLite, free.or license.