Decade of Chinese RATsThis new research adds to that concern, claiming that a concerted effort involving five Chinese advanced persistent threat (APT) groups has been focused on the Linux servers that "comprise the backbone of the majority of large data centers responsible for the some of the most sensitive enterprise network operations." What the researchers found was evidence of a previously undocumented Linux malware toolset being used by these threat actors. A toolset that includes no less than two kernel-level rootkits and three backdoors. A toolset that, the researchers have confirmed, has been actively deployed since March 13, 2012. The Decade of RATs analysis by the BlackBerry researchers links this previously unidentified malware toolkit with one of the largest Linux botnets ever discovered, and concludes that it is “highly probable” that the number of impacted organizations is significant and “the duration of the infections lengthy.”
Chinese threat actor attributionThe researchers are highly confident that the five APT groups involved are made up of civilian contractors working in the interest of the Chinese government. That involvement, however, can be plausibly denied by the government, the report suggests, as tools, techniques and attack infrastructure are shared with few bureaucratic or legal hurdles. The groups are best described as using WINNTI, one of the original Chinese APT groups that is thought to have long-since disbanded, tactics, techniques and procedures (TTPs.) They target, the researchers say, Red Hat Enterprise, CentOS, and Ubuntu Linux environments “systematically across a wide array of industry verticals,” for cyber espionage and intellectual property theft purposes.
Today In: Cybersecurity
But I wanted to share an earlier experience of working with the Ecuadorian government to ensure the cyber and data security of my home nation. We restructured the security backbone of all Registration Institutions and National Public Data Recording Address (DINARDAP Spanish acronym), by implementing endpoint, perimetral, database security amongst others.
Android Users Beware: 100 Million Users Must Delete This ‘Very Dangerous’ App Now
COVID-19’s New Reality—These Smartphone Apps Track Infected People Nearby
Microsoft Just Dealt A New Blow To Zoom With This Bold Security Move
Linux defensive capabilities immature at best, report claimsLinux is not, the report claims, a primary focus of security solutions and defensive coverage within Linux environments is “immature at best” with inadequately utilized endpoint protection or endpoint detection and response products. This has enabled the attackers to use those Linux servers as a “network beachhead for other operations,” according to the BlackBerry researchers. “Security products and services that support Linux, offerings that might detect and give us insight into a threat like this, are relatively lacking compared to other operating systems,” Eric Cornelius, chief product architect at BlackBerry, says, “and security research about APT use of Linux malware (that also might turn it up) is also relatively sparse.”
Is Linux mature and secure?Joe McManus, director of security at Canonical, which publishes Ubuntu, disagrees. “I think that clearly the premise that Linux security is not mature is incorrect.” He told me, adding “Linux and, particularly Ubuntu, are incredibly secure systems but, that being said, it is their popularity that makes them a target.” McManus was not surprised that nation-state actors are attacking Linux operating systems. And Ian Thornton-Trump, a threat intelligence expert and the CISO at Cyjax, was not surprised that Chinese APT actors, which he describes as “among the best on the world,” are attacking Linux servers. “It should come as no surprise adversaries have mission capabilities across the whole range of cyber targets, including Linux,” Thornton-Trump says. Explaining that some western nations' most sensitive systems run on Linux, ranging from secure telecommunications systems to supercomputers. “From an economic and mission perspective,” he concludes, “it makes sense for a threat actor to invest in opensource skills for flexibility and the ability to target the systems where the good stuff is happening.
As far as the fact that such an advanced attack toolkit could remain undiscovered for so long, Joe McManus says that “nation-state actors are particularly good at keeping their toolkits private, as unlike financially motivated actors they are less likely to resell the toolkits in use.” And, as Philip Ingram, a former Colonel in British Military Intelligence, says, “It could be the open source nature that has kept it undetected, and if state developed there will be no documentation in the public domain.”
Mitigating against the Linux APT threatAnd what about mitigating against this kind of attack? “The things that need to be done to better protect Linux systems, I believe,” Ingram says, “are understanding the threat and treating it as if they are at as much a threat as any other operating system, this is as much a psychological as a physical approach.” A peer-reviewed OS does not mean a more secure OS, according to Ingram. “The second thing is when looking at specific elements, know your developers and know their coding, ensure the versions used are ones that specifically address security concerns and finally ensure you have the appropriate security-related tools.”
“As with any operating system, a layered security approach is required,” McManus says, “from kernel, AppArmor, patching, system administration and network security. Security is priority one in Linux.” To which Thornton-Trump adds that it’s all about reducing attack surface exposure and network traffic analysis. “The vulnerable can be protected using isolation techniques,” he says, concluding, “now doesn't that sound a little familiar?” I did reach out to Red Hat with regards to both Red Hat Enterprise and CentOS, but a spokesperson said that "at this time Red Hat is unable to comment."
Umbrella: Security made easy