"Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat"

Security
2

Hi,

if I may comment on that one: These days, we see a lot of reports on malware targeting Linux machines, both botnets and backdoors/rootkits. There are two common aspects that struck me:

  1. Initial infection vector is trivial, if not primitive.
    It has been a while since I saw the last report on Linux malware that spread through something fancy, such as 0-day (or near-0-day) exploitation. While the initial access vector is not always known, it often boils down to successful brute-forcing of publicly exposed SSH servers, or exploitation of vulnerabilities that have been published (and patched) a long time ago.
    Certainly, it is sad to see that despite all prayers from security organizations, CERTs and other industry actors, basic security principles such as swift and thorough patching still are often neglected. (And in this regard, it must be noted that less than 50% of all IPFire installations run on the latest Core Update, or the one before, so we clearly have potential for improvement on that front. :frowning: )
    However, it is good to see that patching works, and that - unlike other operating systems - security issues such as 0-days still remain a niche threat to Linux users. (It is not clear, however, how this would change if Linux would gain some decent popularity on end-user devices…)

  2. Despite its sophisticated userland activity, Symbiote does not appear to feature kernel-space one
    This seems a bit odd to me, as a malware author that capable could have added kernel-space persistence measures as well. However, given that apparently even userland-based rootkits still go widely unnoticed during forensic investigations, that might have not been necessary to achieve the target of this threat actor.

To cut it short: Please, please, please, install Core Updates on IPFire as soon as possible, and ensure your entire IT landscape is provided with updates of any kind in a timely and thorough manner. Or, to put it more bluntly: The time you save doing so is then wasted on incident response, and trying to scrub infected systems - which is, given the sophistication of post-exploitation activity, more difficult by orders of magnitude.

Thanks, and best regards,
Peter Müller

8 Likes