Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Fraud Risk Management
Alert: Russian Hackers Deploying Linux Malware
Alert From NSA and FBI Warns of Drovorub Malware Used by 'Fancy Bear' GroupAn alert from the U.S. National Security Agency and the FBI warns of a recently discovered Russian-deployed malware variant called Drovorub that’s designed to target Linux systems, creating a backdoor into targeted networks to exfiltrate data.
See Also: SIEM Wishlist: Top 5 Reasons Security Teams Can’t Wait to Upgrade
Drovorub is being deployed by the Russian-backed hacking group known as "Fancy Bear" or APT28, which is part of the military unit 26165 of the Russian General Staff Main Intelligence Directorate or GRU, according to the alert.
The alert warns that the Russian hackers are likely to target Linux systems used by private companies or government agencies that are associated with national security or defense projects.
The Russian GRU 85th GTsSS, sometimes publicly known as #APT28 or #FancyBear, is using a previously undisclosed #Linux malware called Drovorub for cyber espionage operations.
— NSA Cyber (@NSACyber) August 13, 2020
For full details and mitigations, review our #cybersecurity advisory with @FBI: https://t.co/xor9u0RD0U pic.twitter.com/sxkkuJhsg4
"Information in this cybersecurity advisory is being disclosed publicly to assist national security system owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 U.S. presidential election," according to the alert issued Thursday.
The FBI and NSA are encouraging organizations that use Linux to upgrade to Linux Kernel 3.7 or a later version and "configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system."
Links to GRU
Analysts have linked Drovorub to the Russian hackers working for the GRU, the alert states, noting that the command-and-control infrastructure associated with this campaign had previously been used by the Fancy Bear group.
An IP address linked to a 2019 Fancy Bear campaign is also associated with the Drovorub malware activity, according to the report.
The Drovorub toolkit has several components, including a toolset consisting of an implant module coupled with a kernel module rootkit, a file transfer and port forwarding tool as well as a command-and-control server. All this is designed to gain a foothold in the network to create the backdoor and exfiltrate data, according to the alert.
"When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled [command-and-control] infrastructure; file download and upload capabilities; execution of arbitrary commands as 'root'; and port forwarding of network traffic to other hosts on the network," according to the alert.
Steve Grobman, CTO at the security firm McAfee, notes that the rootkit associated with Drovorub can allow hackers to plant the malware within a system and avoid detection, making it a useful tool for cyberespionage or election interference.
"The element of stealth allows the operatives to implant the malware in many different types of targets, enabling an attack at any time," Grobman tells Information Security Media Group. "Attackers can launch cyber warfare campaigns to inflict significant damage or disruption and do so without geographic proximity to their target. The objectives of Drovorub were not called out in the report, but they could range from industrial espionage to election interference."
Detection and Mitigation
Although Drovorub provides rootkit-based stealth functionality, the malware can be detected and prevented using a number of techniques, the alert notes.
These include using network intrusion detection systems to identify the command-and-control system infrastructure and the messages sent between the malware and the server.
The alert also recommends deploying endpoint detection and memory correction tools, such as LiME and Volatility, to uncover malicious behavior.
Targeting Linux Systems
Attacks targeting Linux devices have steadily increased this year.
In June, security firms BlackBerry and KPMG reported that ransomware called Tycoon has been selectively targeting education and software companies running on Linux since December 2019 (see: Report: Tycoon Ransomware Targets Windows, Linux Systems).
In May, Kaiji, a newly discovered botnet, compromised Linux servers and IoT devices using brute-force methods, according to security firm Intezer (see: Kaiji Botnet Targets Linux Servers, IoT Devices).