Technology

58550 readers

6877 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

179

Thousands of Linux systems infected by stealthy malware since 2021 (arstechnica.com)

submitted 4 days ago by misk@sopuli.xyz to c/technology@lemmy.world

35 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] CyberSeeker@discuss.tchncs.de 82 points 4 days ago (1 children)

Shouldn’t be this hard to find out the attack vector.

Buried deep, deep in their writeup:

RocketMQ servers

CVE-2021-4043 (Polkit)
CVE-2023-33246

I’m sure if you’re running other insecure, public facing web servers with bad configs, the actor could exploit that too, but they didn’t provide any evidence of this happening in the wild (no threat group TTPs for initial access), so pure FUD to try to sell their security product.

Unfortunately, Ars mostly just restated verbatim what was provided by the security vendor Aqua Nautilus.

[–] nyan@lemmy.cafe 17 points 4 days ago

There's also a buried reference to using a several-years-patched gpac bug to gain root access before this thing can do most of its stealth stuff.

Basically, it needs your system to already have a known, unpatched RCE bug before it can get a foothold, and if you've got one of those you have problems that go way beyond stealth crypto miners stealing electricity.