cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
leroux
Community Champion

Russian Linux Hackers Threaten National Security Say FBI And NSA

A joint security advisory from the Federal Bureau of Investigations (FBI) and the National Security Agency (NSA) is not a common occurrence. Neither, for that matter, are Linux security warnings.

The joint cybersecurity advisory in question, issued on August 13, takes a very technical deep dive into a Linux cyberespionage toolkit the agencies have dubbed "Drovorub."

 Drovorub is described as being "a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server." A real killer of security drivers if ever there was.

A complete system infiltration and spying kit, enabling a backdoor into compromised networks that can be opened very stealthily by the threat actors, in other words. And that threat actor, the FBI and NSA say, is APT28.

The advanced persistent threat (APT) group identified as APT28 is also commonly known as Fancy Bear. To be more precise, the hacking collective labeled as APT28 is said to be associated with military unit 26165, the GRU's 85th Main Special Service Center (GTsSS.) The FBI and NSA report reveals that Drovorub infrastructure has ties to the GTsSS infrastructure, and attributes the proprietary malware as being developed for use by them.

1 Reply
CraginS
Defender I


@leroux wrote:

A joint security advisory from the Federal Bureau of Investigations (FBI) and the National Security Agency (NSA) is not a common occurrence. Neither, for that matter, are Linux security warnings.

The joint cybersecurity advisory in question, issued on August 13, takes a very technical deep dive into a Linux cyberespionage toolkit the agencies have dubbed "Drovorub."

 Drovorub is described as being "a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server." A real killer of security drivers if ever there was.

A complete system infiltration and spying kit, enabling a backdoor into compromised networks that can be opened very stealthily by the threat actors, in other words. And that threat actor, the FBI and NSA say, is APT28.

...


Yves,

Thank you. That is a valuable report for you to share.

I think it worth providing the following from the report Executive Summary:

 

"To prevent a system from being susceptible to Drovorub’s hiding and persistence, system administrators should update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement. Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system."

 

Craig

 

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts