A new form of malware from Russian hackers has affected Linux users throughout the United States. This is not the first time there has been a cyberattack from a nation-state, but this malware is more dangerous as it generally goes undetected. Linux is used not only in individual devices but in supercomputers and other Internet of Things devices both in the home and the office. Though many Linux users believe Windows to be more of a target for these hacking groups, their operating systems are just as much at risk.
How the Malware Works
The overall goal of this malware is to infiltrate sensitive systems to steal confidential data and obtain total control over the device and operating system. The malware is called “Drovorub,” which in Russian breaks down to “wood” and “cutter,” though some security researchers say that “Drava” is slang for drivers. This means the name of the malware means to “cut drivers” in the sense that it cuts kernel drivers in a computer system.
This malicious attack begins when malware connects to the command and control centers of a device. A hacking group that works for the Russian intelligence agency, FancyBear or APT 28 as they are otherwise known, eventually gains control over an infiltrated system. There are several components that are involved in the attack which include:
- A client that infects the device
- Rootkit tactics are used by a kernel module to hide the malware’s presence from security defenses
- A server is operated by the hackers so they can control the infected machines and obtain data
- Another medium between infected machines and compromised servers is used to maintain control
The rootkit portion of the malware is the most dangerous, as this is what causes the malware to stay undetected by any antivirus program on a computer system. Overall, these tools create a backdoor for file uploads and downloads, allow hackers to execute their own commands to the affected system, and network traffic is forwarded to other hosts on the same infected network.
Recurring Risks Require Substantial Security
This is not the first time this particular group has struck as it was reported earlier this month that they had hacked printers, video decoders and other IoT devices in order to gain access to the computer systems they were connected to.
The most common suggestion that the FBI and other cybersecurity experts are giving is to ensure your Linux-operating system is up-to-date. Ensuring your Linux OS is currently running 3.7 or later can help in patching any possible vulnerabilities that a hacking group could exploit. In addition, it is suggested that organizations who run Linux on a large or small scale should run network intrusion detection systems, use security products, live response tools, and media disk image analysis. McAfee specifically stated that users should scan their systems for rootkits and use the Linux Kernel Lockdown to isolate the problem.
Linux systems are becoming more of a target as they are generally under the radar and left unprotected by individuals and corporate offices. If you are the victim of a cyberattack, call our SecureForensics team. The investigators have years of experience finding the source of a cyberattack, ending it, and finding out what data was compromised.
Malware attacks happen more often than ever before, and a secure backup system is also necessary to save your important files, even if the main system becomes compromised. Our hardware encrypted SecureDrives keep out unauthorized parties with secure authentication methods and built-in antivirus.