Can’t be infected if I keep wiping my partition for a new shiny distro
Thousands of Linux systems infected by stealthy malware since 2021
Submitted 1 year ago by misk@sopuli.xyz to technology@lemmy.world
Comments
sirico@feddit.uk 1 year ago
db0@lemmy.dbzer0.com 1 year ago
Your install USB is infected by a rookit and reinstalls itself on connect.
NiHaDuncan@lemmy.world 1 year ago
Jokes on you, the rootkit is likely my own and I just forgot about it.
saddlebag@lemmy.world 1 year ago
This was my first thought. I haven’t had the same os installed for a few months max, nevermind 3 years
Buffalox@lemmy.world 1 year ago
This story reeks of FUD.
exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets,
Because a “common misconfiguration” will absolutely make your system vulnerable!!!
OK show just ONE!This is FUD to either prevent people from using Linux, or to get attention maybe to make you think you need additional security software.
whyNotSquirrel@sh.itjust.works 1 year ago
Crowd strike looking for a new market?
ITeeTechMonkey@lemmy.world 1 year ago
Unfortunately they are already in the market and making a mess: theregister.com/…/crowdstrike_linux_crashes_resto…
cron@feddit.org 1 year ago
ssh with an easy to guess root password?
Buffalox@lemmy.world 1 year ago
Wouldn’t that simply be a user mistake?
blibla@slrpnk.net 1 year ago
what does FUD stand for?
Agent641@lemmy.world 1 year ago
Fear, uncertainty and doubt
zante@lemmy.wtf 1 year ago
No mention of transmission methods as far as I understand the article
Buffalox@lemmy.world 1 year ago
The whole thing sounds fishy. Like it’s trying to convince people Linux is inherently vulnerable.
exploiting more than 20,000 common misconfigurations
Like WTF?
Buelldozer@lemmy.today 1 year ago
Like it’s trying to convince people Linux is inherently vulnerable.
I’m typing this reply from a machine running KDE Plasma on top of Linux Mint 22. I’m not sure what precisely what you mean by “inherently” but I’d like to point that “Linux” has security problems all over the place; the kernel has issues, the DEs have issues, the applications have issues. It’s more secure than Windows but that’s not a very high bar.
nyan@lemmy.cafe 1 year ago
It’s kind of an iffy assertion. That’s maybe the number of files it scans looking for misconfigurations it can exploit, but I’d bet there’s a lot of overlap in the potential contents of those files (either because of cascading configurations, or because they’re looking for the same file in slightly different places to mitigate distro differences). So the number of possible exploits is likely far fewer.
JohnnyCanuck@lemmy.ca 1 year ago
They have an “attack flow” diagram that seems to indicate a hacker installing it directly through a known vulnerability.
luciddaemon@lemmy.dbzer0.com 1 year ago
Seeing the diagram, it only attacks servers with misconfigured rocketMQ or CVE-2023-33426, which is already patched. Am I understanding this correctly?
cron@feddit.org 1 year ago
It probably has a large database of exploits it can use. The article claims 20k, but this seems to high for me.
ColeSloth@discuss.tchncs.de 1 year ago
Thousands!? Shit. That’s like all of them!
li10@feddit.uk 1 year ago
Sounds like it should at least be noticeable if you monitor resource usage?
Pantsofmagic@lemmy.world 1 year ago
That’s how some people found it, but it would disappear when someone would login to investigate.
li10@feddit.uk 1 year ago
Sure, but it’s still fairly detectable when it’s on a server at least, as long as you have monitoring. Just a bitch to pinpoint and fix.
cron@feddit.org 1 year ago
Yes, but they replace common tools like top or lsof with manipulated versions. This might at least trick less experienced sysadmins.
li10@feddit.uk 1 year ago
Not quite the monitoring I’m talking about though.
Basically, it seems like this would be a nightmare for a home user to detect, but a company is probably gonna pick up on this quite quickly with snmp monitoring (unless it somehow does something to that).
linearchaos@lemmy.world 1 year ago
Vulnerable to 20,000 misconfigurations, But squirted by 42 billion different simple checks that we all do anyway.
5 minute load greater than 80% of the number of cores? That’s an alarm…
sunbeam60@lemmy.one 1 year ago
Luckily I sit right next to my home server and can hear when the fans kick in under load. The absence of noise tells me I don’t have thus problem :)
misk@sopuli.xyz 1 year ago
Mine is ultra low voltage and I barely maintain it so this article gave me a bit of a scare. I’ll probably wipe it by the next reinstall anyway since it’s been nearly 10 years of Ubuntu LTS upgrades and it’s a mess (both what I’ve done to it and what Ubuntu has done to itself).
JoShmoe@ani.social 1 year ago
Millions of systems shut down by dumb microsoft os.
CyberSeeker@discuss.tchncs.de 1 year ago
Shouldn’t be this hard to find out the attack vector.
Buried deep, deep in their writeup:
RocketMQ servers
I’m sure if you’re running other insecure, public facing web servers with bad configs, the actor could exploit that too, but they didn’t provide any evidence of this happening in the wild (no threat group TTPs for initial access), so pure FUD to try to sell their security product.
Unfortunately, Ars mostly just restated verbatim what was provided by the security vendor Aqua Nautilus.
nyan@lemmy.cafe 1 year ago
There’s also a buried reference to using a several-years-patched gpac bug to gain root access before this thing can do most of its stealth stuff.
Basically, it needs your system to already have a known, unpatched RCE bug before it can get a foothold, and if you’ve got one of those you have problems that go way beyond stealth crypto miners stealing electricity.