Incident Of The Week: Russia’s Cyber Threat Du Jour Prompts The FBI And NSA To Release A Joint Statement

Linux + Malware

Add bookmark

Seth Adler

[Records Exposed: Undisclosed  |  Industry: Public And Private Entities Using Linux  |  Type Of Attack: Malware]

Russian cyber threats made the news again last week when the FBI and NSA released a statement about the new Fancy Bear malware Drovorub.

The Facts:

On August 13th, the U.S. government agencies Federal Bureau of Investigation (FBI) and National Security Agency (NSA) publicly released a 45-page report detailing this newest threat which targets Linux systems with backdoor malware. The report links the malware to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). The involvement of GTsSS and its hacking associates commonly known as Fancy Bear or APT28 is cause for alarm. In 2016, it was this group that broke into the National Democratic Committee. Additionally, the Linux operating system is used in several high-profile public and private organizations such as Twitter, the Department of Defense, and the cybersecurity community writ large.

Related: Patchwork of Privilege

Perhaps, as November draws nearer, that is why the FBI and NSA broke status quo to deliver the Cybersecurity Advisory report which also discusses techniques for detecting and mitigating Drovorub. The accompanying fact sheet explains Drovorub as, “A Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server. When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection.”

Lessons Learned:

In an attempt to proactively and preemptively fight against this newest Russian cyber threat, the U.S. Government is trying a new tactic: disseminating information. As cyber security incidents are becoming increasingly common—a “when,” not an “if”—organizations are taking heed. Empowering public and private enterprises with the knowledge of viable threats and sharing mitigation tools with them offers entities the opportunity to quickly and effectively decrease the likeliness that malware such as Drovorub will gain a foothold.

Related: Always Be Testing, Always Be Assessing, Always Be Prepared

In this case, the FBI and NSA recommends, “Implementing SecureBoot in ‘full’ or thorough’ mode” to “reliably prevent malicious kernel modules, such as the Drovorub kernel module, from loading. This will prevent Drovorub from being able to hide itself on a system. The other detection and mitigation options, such as Snort and Yara rules, will naturally have a limited lifetime, as they are expected to be the first things changed in future versions of the malware to avoid detection. They should be used as quickly as possible before changes are made.”

Quick Tips:

Organizations who run Linux enjoy its unique strengths but also open themselves up to its unique vulnerabilities; namely, the “hidden” nature of Linux that risks a level of undetected threats sneaking through. McAffe and CSHub offers these tips for Linux security:

  • Utilize rootkit detection software such as Chrootkit or Rkhunter
  • Enable UEFI Secure Boot in “full” or “thorough” mode on x86-64 systems to decrease attack surface.
  • Remove unused services and software
  • Incorporate a least privilege policy
  • Back up, patch, test, and update systems regularly

Read More: Incident Of The Week