So, the other day, I was walking down our main street, and I noticed a girl wearing bell-bottom pants. Wow, that takes me back to the late 1960s and into the ’70s. Everyone was wearing bell-bottom pants back then. I even had a few pairs myself. In truth, that fad started with sailors wearing bell-bottom pants. The British Navy began the “fad” in 1813, and the US Navy followed close behind. Was this fad coming back? Well, what is old often becomes new again. BTW, Wrangler sells women’s bellbottom pants for $89.99; if you are interested, return to Cyber-Security.
Two well-documented Chinese backdoors have recently been modified to operate on Linux systems. The advanced persistent threat (APT) "Gelsemium" is a decade old now, and the new malware tied to the group Wolfsbane and Firewood can trace their lineage back to 2005. Throughout its history, Gelsemium has focused on information gathering from Windows systems. Now, it has adjusted its tooling to operate just as effectively in Linux environments. Experts say this is merely the latest manifestation of a long-brewing trend.
Suppose you wonder where the APT name came from. In that case, Gelsemium is a medical remedy prepared from the bark of the root of the plant Gelsemium Sempervirens, commonly known as Yellow Jasmine. It belongs to a family of flowering plants known as Loganiaceae. Gelsemium is mainly used to treat complaints of anxiety, headache, vertigo, cold, nasal allergies, and weakness. Gelsemium malware is causing these symptoms to those affected, especially anxiety.
See: https://redskyalliance.org/xindustry/intelligence-report-all-sector-cyber-threats-1
"The Linux malware landscape is certainly accelerating," says Jason Soroko, senior fellow at Sectigo. "The increase does make sense, as organizations have heavily adopted Linux for their back-office server needs, both on-premises and in the cloud. Adversaries are developing cross-platform malware to maximize their reach."
The first public sample of the first new backdoor, dubbed Wolfsbane, was uploaded to VirusTotal on 06 March 2023 from Taiwan, with later uploads coming from the Philippines and Singapore (historically, Gelsemium has targeted entities in the Middle East and East Asia). Contextual evidence suggests malware authors have exploited vulnerabilities in Java Web applications to access public-facing Apache Tomcat servers. A deeper look inside reveals unmistakable overlaps with Gelsevirine, a Windows backdoor known to be used by Gelsemium. In essence, the Wolfsbane malware was a Linux port of Gelsevirine featuring a modified Beurk Experimental Unix RootKit to hide its various malicious activities.
Alongside Wolfsbane, though not definitively attributable to Gelsemium, was a second Linux-ported backdoor, Firewood. In addition to its varied and typical backdoor capabilities, it possesses a kernel-level rootkit. Most interestingly, Firewood appears to be the latest evolution of "Project Wood," a species of a backdoor that traces back generations to a program first compiled in January 2005. The latest manifestation of Project Wood before Firewood, NSPX30, was reported earlier this year.
See: https://redskyalliance.org/xindustry/so-what-else-is-new
Cyber threats rise across the board every year, but the rise in Linux-based threats stands out. Since at least 2020, vendors have tracked double- and triple-digit year-over-year increases in Linux attacks. In its annual "Global Threat Report," Elastic Security has regularly found that the Linux threat landscape vastly outpaced that of macOS, more closely resembling Windows in terms of the sheer volume of attacks. In 2023, for example, it found that 54% of endpoint attacks affected Linux-based devices, compared with just 39% for Windows.
Over the past 12 months, around 32% of malware infections have targeted Linux, according to Jake King, Elastic's head of threat and security intelligence. "While steadily increasing, we are seeing greater volumes of attacks and, in some cases, with greater levels of sophistication. The XZ/Liblzma backdoor discovered by researchers earlier this year shows the desire of adversaries to compromise Linux hosts, likely for a variety of reasons, growing in sophistication to supply chain compromise," he says.
The rising threats to Linux may be attributable to the increasing adoption of Linux in enterprise environments, as Soroko alluded to, or the generally improving state of Windows security, the explanation ESET went within its blog post, or an explanation even simpler. "One of the reasons for growing observations can always be targeted to adversarial focus changing, but it is also likely that security tooling and telemetry for Linux hosts are improving at a pace whereby attacks are identified earlier, with a greater level of context," King suggests. For example, "A growing trend for threat observations this year was Impaired Defenses for Linux, showing that adversaries are specifically looking to bypass security tools native to Linux or disable third-party security tools. This is important, as it shows we're exposing many attacks that would have previously gone undetected years ago."
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments