Click to see full-size image
In a rare occurrence, the US National Security Agency (NSA) and FBI issued a warning for a new Linux malware dubbed “Drovorub”.
It was reportedly developed by Russian military hackers.
“This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats,” NSA Cybersecurity Director Anne Neuberger said. “By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action. Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together.”
According to a report based on data collected by the agencies, the Linux malware strain is the work of APT28, a notorious hacking group from military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).
The intention is to steal secrets from the public sector, as well as private IT companies.
Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server.
When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection.
Click to see full-size image
The stealthy capabilities of Drovorub Linux malware make it easy for hackers to target different types of platforms, initiating attacks at any time.
According to the report, the two components of the Linux malware operate by communicating with each other using JSON over WebSockets and the traffic is encrypted from the server module using the RSA algorithm.
“For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information,” said FBI Assistant Director Matt Gorham. “This joint advisory with our partners at NSA is an outstanding example of just that type of sharing. We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors.”
There is also a handy fact sheet. [pdf]
“How did you find out about this malware?
We use a variety of means and methods to acquire information about cyber threats, including our own cybersecurity operations, foreign signals intelligence, U.S. Government partners, engagement with industry, and foreign partners around the world. We don’t comment on the source of any particular information so we can continue to fulfil our vital role for the nation. Protecting our sources also allows us to more broadly release the underlying threat information in ways we might not be able to otherwise do.”
As such it is generally unclear how the malware was discovered and how it was concluded that “the Russians” made it.
There is also a guide on how to prevent the malware from operating:
“Will the mitigations outlined in the guidance protect my system from exposure?
Implementing SecureBoot in “full” or “thorough” mode should reliably prevent malicious kernel modules, such as the Drovorub kernel module, from loading. This will prevent Drovorub from being able to hide itself on a system. The other detection and mitigation options, such as Snort and Yara rules, will naturally have a limited lifetime, as they are expected to be the first things changed in future versions of the malware to avoid detection. They should be used as quickly as possible before changes are made.”
The advanced persistent threat (APT) group identified as APT28 is also commonly known as Fancy Bear.
To be more precise, the hacking collective labeled as APT28 is said to be associated with military unit 26165, the GRU’s 85th Main Special Service Center (GTsSS.) The FBI and NSA report reveals that Drovorub infrastructure has ties to the GTsSS infrastructure, and attributes the proprietary malware as being developed for use by them.
On August 5th, Microsoft also published a blog post blaming the group for another offensive operation.
The Microsoft Security Response Center claimed that APT28 is responsible for a campaign attacking popular Internet of Things (IoT) devices. In an election year, it’s worth remembering that APT28 was also “implicated” in the 2016 Democratic National Committee hack.
These are most definitely not your “normal” hackers. They are special, Russian “super hackers.”
“I’m not surprised that everyone’s favorite fancy bear (APT28) is on the prowl in Linux land,” says Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax. “Tactically, it makes sense to hack workstations, pivot to Linux servers and hide in that infrastructure to stay persistent.”
“APT groups, especially Russian and Chinese ones, are going to be driven by specific mission requirements and if the target’s information or capabilities are found in a Linux environment that won’t stop the mission objectives,” Thornton-Trump said.
No one should be surprised to find Fancy Bears inside Linux systems, he claimed, adding “they need protection just as much as Windows systems, maybe even more depending on what juicy information or capabilities are present in the target’s open-source environment.”
BS. Linux is getting more popular by the day and now even noobs can use it, with distributions like Rasperry OS or Linux Mint . And it doesnt have built in NSA/CIA backdoors. Thats why they are worried.
I play time to time with Ubuntu what about you Lone?
Linux Mint is the OS if you want an easy all around OS.
ROFL! The old IT rule: if you want to make war between Linux guys – ask them what version of Linux is better! https://media1.giphy.com/media/AbKlwKEiP4ZpK/giphy.gif
Exactly. Watch this:
Hey guys, Mint and Ubuntu are for faggots and snowflakes. Real men use DEBIAN!
(Actually, real men use Slackware, but that’s another story …)
No way! Red Hat is the king! ROFL!
Dead Rat! Hahah! Not since SystemD!
Everyone is using Systemd, I’ve gotten use to it. It does have some strengths over init.
Heretic! Users of it and it’s bastard child journalctl should be burned at the stake!
I’ve been using Linux and LibreOffice for years now too. It saves a ton of money each time I build or upgrade a machine. And no automatic updates either…
This is how you upgrade a computer with Linux:
1) Take hard drive out of the old machine 2) Place hard drive into the new machine 3) Boot computer
Russia has 146 million hackers an internet trolls. Me too.)
Hold on, isn’t that the same number as your population?
It is. But I should correct this number. Not all people have internet, but 99% will have it in near future. Actual number is about 80%. Imagine, all these people are Kremlin trolls, except few liberals. Sad truth for Washington, which is counting every sarcastic message from Russia or with cyrillic nick-name as danger to democrazy.
Or yeah! Chinese hackers broke in the Pentagon server. Every Chinese typed “Mao Tse Tung” as password and at 745 329 782nd try the server agreed that password is “Mao Tse Tung”.
That’s called “Re-education”
Cultural revolution to be more precise. ROFL.
Security Service in Kiev had used 123456 password. Their admin told them to change it, they answered him to go off. Changed after 6 months.
The thought of Sergei Shoygu at a linux terminal is truly intimidating!
“The thought of Sergei Shoygu at a linux terminal is truly intimidating!” https://mir-s3-cdn-cf.behance.net/project_modules/disp/1ceeee16791861.593e5a801715b.jpg
Exactly what I warned about. You try to be in privacy with your democratic considerations and what happen? An invisible Trumphet tone arrive in your ears going into your brain, and you think of Trumphets all the way to the election and the voting box. You imagine a Trumphet in your brain, and you vote Trump because its related and this have already been figured out in KGB’s psychological laboratories.
When we say Putin has been interfering in America’s democracy and elections its the truth and you know it! Which you can clearly see on this example of facts and reason with logo.
How funny…
Perfect mafia-style intimidation, either you pay our protection or big trouble could happen to your devices.
More like their own paid shills if anything,nsa and fbi both democrat tools,see no hellary not biden arrests still,the can’t be trusted nor taken seriously ever again (period) No arrests = no credabilitys!
BS. The NSA and FBI are the real culprits, but preparing the plebs for a regular brainwash.
Does anyone understands that “drovorub” is Ukrainian word? In Russian it will be “drovosek”. ROFL! Want to fail a mission – ask Ukrainians to help you!
I hope the Russian rootkits are more reliable than the US ones. The documentation with the Chinese rootkits are rubbish, I’d never use those.
Looks like it’s Ukrainian rootkit. Won’t work without pork fat and vodka!
Damn. I’ll have to wait for Drovorub Russian Edition then.
Gorilka (local moonshine), lard and garlic.
salo z silotka
On the other hand Linux has been rooted since Lennard Poettering was allowed to trojan it with systemd …
Come on! Linux is open source and everyone checks the code before the compilation! https://media0.giphy.com/media/3ohs7KViF6rA4aan5u/giphy.gif
Of course. I personally print it all out on a dot matrix and go through it with a red pen …
Eff! You are bettering than me! I am using a pencil!
Another problem can be with the compiler. You need to make sure it’s a legit version.
Package repos are probably full of drovorub too …
As such it is generally unclear how the malware was discovered and how it was concluded that “the Russians” made it.
As expected.
hahaha so in other words the NSA / Cia are attacking Linux and using cyrillic characters.