Never-Before-Seen Linux Malware Is 'Far More Advanced Than Typical' (arstechnica.com) 27
An anonymous reader quotes a report from Ars Technica: Researchers have discovered a never-before-seen framework that infects Linux machines with a wide assortment of modules that are notable for the range of advanced capabilities they provide to attackers. The framework, referred to as VoidLink by its source code, features more than 30 modules that can be used to customize capabilities to meet attackers' needs for each infected machine. These modules can provide additional stealth and specific tools for reconnaissance, privilege escalation, and lateral movement inside a compromised network. The components can be easily added or removed as objectives change over the course of a campaign.
VoidLink can target machines within popular cloud services by detecting if an infected machine is hosted inside AWS, GCP, Azure, Alibaba, and Tencent, and there are indications that developers plan to add detections for Huawei, DigitalOcean, and Vultr in future releases. To detect which cloud service hosts the machine, VoidLink examines metadata using the respective vendor's API. Similar frameworks targeting Windows servers have flourished for years. They are less common on Linux machines. The feature set is unusually broad and is "far more advanced than typical Linux malware," said researchers from Checkpoint, the security firm that discovered VoidLink. Its creation may indicate that the attacker's focus is increasingly expanding to include Linux systems, cloud infrastructure, and application deployment environments, as organizations increasingly move workloads to these environments. "VoidLink is a comprehensive ecosystem designed to maintain long-term, stealthy access to compromised Linux systems, particularly those running on public cloud platforms and in containerized environments," the researchers said in a separate post. "Its design reflects a level of planning and investment typically associated with professional threat actors rather than opportunistic attackers, raising the stakes for defenders who may never realize their infrastructure has been quietly taken over."
The researchers note that VoidLink poses no immediate threat or required action since it's not actively targeting systems. However, defenders should remain vigilant.
VoidLink can target machines within popular cloud services by detecting if an infected machine is hosted inside AWS, GCP, Azure, Alibaba, and Tencent, and there are indications that developers plan to add detections for Huawei, DigitalOcean, and Vultr in future releases. To detect which cloud service hosts the machine, VoidLink examines metadata using the respective vendor's API. Similar frameworks targeting Windows servers have flourished for years. They are less common on Linux machines. The feature set is unusually broad and is "far more advanced than typical Linux malware," said researchers from Checkpoint, the security firm that discovered VoidLink. Its creation may indicate that the attacker's focus is increasingly expanding to include Linux systems, cloud infrastructure, and application deployment environments, as organizations increasingly move workloads to these environments. "VoidLink is a comprehensive ecosystem designed to maintain long-term, stealthy access to compromised Linux systems, particularly those running on public cloud platforms and in containerized environments," the researchers said in a separate post. "Its design reflects a level of planning and investment typically associated with professional threat actors rather than opportunistic attackers, raising the stakes for defenders who may never realize their infrastructure has been quietly taken over."
The researchers note that VoidLink poses no immediate threat or required action since it's not actively targeting systems. However, defenders should remain vigilant.
Source code? (Score:5)
A link to it in TFA or the one it points to would have been nice given how often its mentioned.
Re: Source code? (Score:1)
Re:Source code? (Score:5, Informative)
A link to it in TFA or the one it points to would have been nice given how often its mentioned.
So I looked deeper into this malware and it's a framework with many components. One of those components is a web browser based control panel which is written using the React JavaScript framework. I believe within the source of this control panel is where they found the reference to it being named VoidLink.
Details on VoidLink from those who reverse engineered it: https://research.checkpoint.co... [checkpoint.com]
It was just a matter of time (Score:4, Informative)
Linux malware is relatively rare, because getting into Linus systems is much harder than the laughably easy ways to get into Windows systems. Hence this much later development. But while LLMs are generally incapable, generating malware and running automated attacks on, let's say, "low intermediate level" with so-so success rates is something they can do and it can be automated. And that dramatically reduced the effort for attacking Linux systems in a non-targeted fashion. There will be enough incompetent Linux admins out there to make that not worthwhile and hence a versatile software solution for the next step after compromise becomes desirable to attacker for Linux as well.
Re: (Score:2)
That should be "make that now worthwhile". My apologies.
Re:It was just a matter of time (Score:5, Insightful)
is it really laughably easy? a properly managed windows server is laughably easy to get into? please describe
or as usual are we conflating the millions of windows desktops systems under the control of normies versus the millions of linux servers under the control of actual admins?
Re: (Score:2)
is it really laughably easy? a properly managed windows server is laughably easy to get into? please describe
or as usual are we conflating the millions of windows desktops systems under the control of normies versus the millions of linux servers under the control of actual admins?
Pretty much this.
As more and more Linux systems find their way into the hands of average people, we're bound to get more complex malware to capitalise on that.
Not that we should use this as an excuse to slow the expansion of Linux into everyday life, there are going to be some innate security advantages just in that (not to mention a whole bunch of other advantages like getting out from under MS).
Re: (Score:2)
Re: (Score:2, Insightful)
[Citation Needed]. Windows systems are usually compromised due to layer 8 issues. One can put a Windows server on the same public subnet as a Linux box, and it will be 50/50 which gets pwned first, assuming sane configurations.
Linux has gotten a pass because it tends to be used for servers. Once Joe Sixpack is using Linux for a desktop, things will change. Same shit happened when Windows took the mantle over Solaris for a workstation OS... back then, we mocked Solaris for being insecure.
Re:It was just a matter of time (Score:5, Insightful)
Is it, really? How many projects do you know that installation is of the form "curl ... | sudo bash" ? Because that's a large number of projects and Linux users blindly execute commands like that all the time.
It's only been post-pandemic where the Windows equivalent of Windows-R-Ctrl-V have really taken hold (or variations involving using PowerShell).
The fact that Linux users have been blindly running shell scripts as root from untrusted sources has been a vector for infection that I'm surprised hasn't been exploited more often.
Re: (Score:3)
Oh, there are plenty of idiots on both groups. But with Windows, it is a majority of idiots (as daily experience shows), while with Linux, it depends. And it does make a difference whether you build on sane or on bedrock.
Re: (Score:2)
Is it, really? How many projects do you know that installation is of the form "curl ... | sudo bash" ? Because that's a large number of projects and Linux users blindly execute commands like that all the time.
It's one of my biggest pet peeves and I wish it'd die already. Mind blowing that the same group that mocks Windows users for blindly running exe's in email attachments then went on to promote such activity. Even worse when the URL is plain HTTP. FWIW, I've never run one of those as-is. Most of the time, the same thing is available via the default package manager.
Re:It was just a matter of time (Score:4, Insightful)
Linux malware is relatively rare, because getting into Linus systems is much harder than the laughably easy ways to get into Windows systems.
This is a myth. Linux malware is less common because it's a less valuable target than the more ubiquitous Windows systems.
If you want an OS that is intrinsically more secure, try OpenBSD. Their proactive auditing [openbsd.org] is second-to-none, and has been known to patch bugs before they were discovered to be exploitable.
Re: (Score:2)
Linux malware is relatively rare, because getting into Linus systems is much harder than the laughably easy ways to get into Windows systems.
This is a myth. Linux malware is less common because it's a less valuable target than the more ubiquitous Windows systems.
That has always been a lie. Often repeated though.
Re: (Score:2)
Servers are the more valuable targets and there Linux is the most ubiquitous.
"Hmmm, this is way more unusual" (Score:2)
It voids your manufacturers warranty in only 48 states.
Yet more Linux malware FUD (Score:5, Insightful)
Re: (Score:2)
Yeah, I keep saying I'm done with slashdot. But for the "editors" to continue allowing garbage like this with straight-up lying headlines... I'm finally done. I deal with enough brainwashed anti-open-source mouth breathers at work. Why do I keep coming back to it here on a so-called tech news website that can't even get basic facts straight?
Good thing HN has a pretty good signal-to-noise ratio. See you all there!
Re: (Score:3)
Yeah, I keep saying I'm done with slashdot. But for the "editors" to continue allowing garbage like this with straight-up lying headlines... I'm finally done. I deal with enough brainwashed anti-open-source mouth breathers at work. Why do I keep coming back to it here on a so-called tech news website that can't even get basic facts straight?
Good thing HN has a pretty good signal-to-noise ratio. See you all there!
What part of the headline is misleading? Where are you confused. The article is about an advanced malware package that is cloud aware and container aware. It shouldn't be surprising, just a reminder that yes your managed kubernetes deployments are also considered targets, duh.
Malware and attack payloads for Linux servers do exist, because they do get infiltrated, and they are definitely targeted. What is even controversial about ANY of that?
Re:Yet more Linux malware FUD (Score:4, Interesting)
i kept looking for initial deployment but i guess it is done via gaining control or access through unpatched or some other vulnerability. Initially because they kept saying cloud, i assumed some one was packaging containers and making them available for use, pre-infected. it could just be relying on idoits just provisioning new resources without doing updates or patches you know because cloud.
Re: (Score:2)
i kept looking for initial deployment but i guess it is done via gaining control or access through unpatched or some other vulnerability
... that's why it's called malware. It's bad software. It's the second stage that comes after a system has been compromised .. from any of the things that can lead to a system being compromised. What's the confusion here?
Re: (Score:2)
no idea myself but....... (Score:1)
How to .... (Score:3)
First, get a million dollars.
That is, once you've got total ownership effectively of any host, sure, sky's the limit. This is not news.
Brought to you by microsoft (Score:2)
And their failing OS business.
Another article (Score:2)
https://www.bleepingcomputer.c... [bleepingcomputer.com]
This explains.... (Score:1)