Bleedingtooth, Russians, and Penguins
This week I have partnered with with a colleague. Josh Kozak wrote an awesome article.
Check out his LinkedIn profile:
Due to the limited desktop use of Linux I always forget that there indeed exists malware for Linux based systems. This coupled with the fact most distributions of Linux have adopted popular security tools like SELinux, FirewallD, UFW or Iptables baked right in for ease of use, it’s easy to feel safe and secure in a Linux environment. However, recently two reports came as a reminder to update kernels and detection rules. One of course being a widespread Bluetooth vulnerability affecting the BlueZ library and the other being the NSA report detailing the Drovorub malware tool for Linux systems.
Now while that may seem to be a very specific set of circumstances for the vulnerability to be taken advantage of, it’s important to remember that BlueZ is also found on most Linux based IoT devices. This would allow attackers to pick and choose their targets at leisure and through those devices gain access to even greater network bounties. Being IoT devices it would also be a safer bet that they may be missed on a sweep of system/kernel upgrades that occur and could be running kernel versions that are vulnerable.
Intel announced that upgrading your kernel to a version of 5.9 or higher will fix the vulnerability from existing. They also released various patches for kernels in case full kernel upgrades were not viable.
client gets installed on the targets system by the actor and then can receive
commands from the server and offer file transfer to/from the system it’s
installed upon. The client also gets packaged with the kernel module which
provides a rootkit based stealth ability to hide the client and kernel module
themselves. While the server and the agent are typically both installed on
infrastructure that the attacker controls themselves. The server keeps a
database store using MySQL for registration, authentication and tasking to the
agent. The agent receives commands from the server and its purpose is to mainly
upload and download files from the client and forward network traffic through
To defend against the drovorub malware it is recommended to update the Linux kernel version to at least 3.7 or later. There are also rules for both network-based and host-based detection that are available from the report as well. The report also goes into memory analysis to help find any instances of the malware as well.
The fact that these tools are bundled together will make it easier for scripts to be written that could potentially lead to targeting of older production systems that may not be so assured to have working current backups. Also, when you look at where Linux is mostly being used (business/production servers, industrial PLCs and IoT devices) this leads one to think that originally these tools were most likely created for industrial or commercial espionage. Add to the fact that this all works for kernel versions much older than current would lead me to believe there are far more malware tools out there that are just as effective against newer Linux systems as well.
These two reports had me pause and check what I was doing with my Linux system on my laptop. I ran through a list of things from checking my kernel version to how my Bluetooth service launched and ran. I even realized that the install I had performed hadn’t really been configured with a firewall even. So, no matter how secure your castle feels, it’s always a good idea to go out and check for cracks in the foundation.