CSO Online reports on how the GoScanSSH malware is targeting Linux operating systems but somehow manages to avoid government and military operated servers:

For the initial infection, the malware uses more than 7,000 username/password combinations to brute-force attack a publicly accessible SSH server. GoScanSSH seems to target weak or default credentials of Linux-based devices, honing in on the following usernames to attempt to authenticate to SSH servers: admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.

Those and other credential combinations are aimed at specific targets, such as the following devices and systems: Raspberry Pi, Open Embedded Linux Entertainment Center (OpenELEC), Open Source Media Center (OSMC), Ubiquiti networking products, jailbroken iPhones, PolyCom SIP phones, Huawei devices, and Asterisk systems.

After a device is infected, the malware determines how powerful the infected system is and obtains a unique identifier. The results are sent to a C2 server accessed via the Tor2Web proxy service “in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.”

The researchers determined the attack has been ongoing for at least nine months — since June 2017 — and has at least 250 domains; “the C2 domain with largest number of resolution requests had been seen 8,579 times.”

This sounds like a particularly nasty type of attack, but one that ought to be fairly simple to prevent. Considering it is easy to determine what the target system types are, and how the malware functions, deploying the right defense strategy is actually quite straightforward.

A quick couple of very simplistic examples immediately come to mind:

  1. Delete all unnecessary users from the above list or rename unneeded ones. In most cases guest, oracle, osmc, pi, test, ubnt, ubuntu, and user are unnecessary and can be removed. If they need to be kept, as I said, rename the accounts.
  2. For all the needed accounts, ensure ssh access is turned off. There is never a reason to SSH directly as root. This is the entire point of the sudo and su commands – login as another user and then use one of those commands to perform functions as root or other users.

There are plenty of other methods for combating this attack to make it more difficult to be breached. But simple actions like the above are often overlooked.

Talos provided both an IP blacklist and a domain blacklist that the malware uses to determine if it should continue attempts to compromise the system. Some of those domains include: .mil, .gov, .army, .airforce, .navy, .gov.uk, .mil.uk, govt.uk, .police.uk, .gov.au, govt.nz, and .mil.nz.

If the system or device is on neither set of blacklists, Talos “believes the attacker then compiles a new malware binary specifically for the compromised system and infects the new host, causing this process to repeat on the newly infected system.”

That is an interesting and novel approach to avoiding governmental systems. It is not unprecedented but definitely not a method often seen.

This zero-day does not give any warm and fuzzies about Linux security:

One of the exploits – which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions – is also noteworthy for its elegance. To wit: it uses a rarely seen approach to defeat address space layout randomization and data execution prevention, which are two of the security protections built in to Linux to make software exploits harder to carry out. ASLR randomizes the locations in computer memory where software loads specific chunks of code. As a result, code that exploits existing flaws often results in a simple computer crash rather than a catastrophic system compromise. Meanwhile, DEP, which is often referred to as NX or No-Execute, blocks the execution of code that such exploits load into memory.

Unlike most ASLR and DEP bypasses, the one folded into the GStreamer exploit doesn’t rely on code to manipulate the memory layout or other environmental variables. Instead, it painstakingly arranges the bytes of code in a way that completely disables the protections. And by eliminating the need for JavaScript or other memory-massaging code to execute on a targeted computer, it’s possible to carry out attacks that otherwise wouldn’t be possible. Chris Evans, the security researcher who developed the exploit, describes the challenge as “a real beast.”

If you are a penetration tester or just interested in the tools attackers use then chances are you are more than familiar with Kali Linux. The distro was recently updated to Kali Linux 2.0, and here are the top ten post-install tips designed to maximize your experience with this outstanding OS:

There’s several ways you can use Kali – either as a “throw away pentesting machine” or as a “long term use OS“. The “throw away” method entails setting up Kali for a one off engagement or short term use, and then killing off the OS when done (this usually happens in virtual environments). The “long term use” use case describes people who want to use Kali on an ongoing basis for day-to-day use. Both methods are perfectly valid, but require different treatment. If you plan to use Kali on a day-to-day basis, you should avoid manual installs of programs in FSH defined directories, as this would conflict with the existing apt package manager.

After a lengthy quiet period, the team responsible for Kali Linux took to their blog today to offer a teaser about the upcoming release day for Kali Linux 2.0:

We’ve been awfully quiet lately, which usually means something is brewing below the surface. In the past few months we’ve been working feverishly on our next generation of Kali Linux and we’re really happy with how it’s looking so far. There’s a lot of new features and interesting new aspects to this updated version, however we’ll keep our mouths shut until we’re done with the release. We won’t leave you completely hanging though…here’s a small teaser of things to come!

If you are unfamiliar with Kali Linux, it is the best penetration testing and white-hat hacking Linux distribution available. It comes built with Metasploit and tons of other tools to help make ethical hacking a lot easier and more productive.

The OpenSSL team is releasing a patch this Thursday to close up a “severe” Heartbleed-like bug, although the extent and specifics of the vulnerability are not entirely known (emphasis added):

It’s not yet known what exactly the vulnerability is: that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. According to the OpenSSL team, a “high severity” bug includes…

“issues affecting common configurations which are also likely to be exploitable. Examples include a server denial-of-service, a significant leak of server memory, and remote code execution. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited.”

So this week’s bug could be anything from a denial-of-service (allowing an attacker to crash an online service) to a Heartbleed-style memory leak to a remote-code execution hole (allowing a miscreant to run malicious code on a vulnerable system).

Make sure you patch those workstations and servers running openssl to be assured this attack vector is shutdown.