The Cybersecurity Express – October 4, 2024

You stand on the platform, the distant hum of tracks vibrating beneath your feet as the “Cybersecurity Express” pulls into the station, its gleaming silver body catching the early morning light. The smell of fresh coffee wafts through the air, mingling with the crisp scent of paper, as if each page of news you’re about to encounter has just been printed. The carriages promise a world of insight, one filled with mysteries unraveled and threats uncovered. As the doors slide open, the thrill of the unknown awaits—who knows which headline will cross your path first? You step inside, guided to your seat by a friendly conductor who hands you today’s ticket, stamped All Access.

Settling in, you glance out the window as the landscape begins to blur, shifting from real-world concerns to the latest in cyber landscapes. The train hums with energy, each click of the rails symbolizing data being shared, firewalls being tested, and networks fortified. Somewhere up ahead is today’s first stop: a deep dive into one of the year’s most intriguing cybersecurity stories. With a whistle and a lurch, the Cybersecurity Express begins its journey, taking you directly into the heart of the latest digital battleground. The destination? Insight, knowledge, and perhaps a new perspective on the evolving threats shaping our digital world. All aboard!

Perfctl: A Sophisticated and Stealthy Malware Targeting Millions of Linux Servers

A new, highly evasive malware known as “perfctl” is actively targeting Linux servers in an expansive campaign, with attackers deploying a cryptocurrency miner and proxyjacking software designed to exploit system resources for financial gain. Researchers Assaf Morag and Idan Revivo highlighted perfctl’s resilience and complexity in a detailed report, explaining its sophisticated evasion tactics and the risk it poses to Linux-based infrastructures worldwide.

According to the research team, the malware is highly elusive, leveraging several advanced techniques to evade detection and persist within infected systems. Upon infecting a server, „perfctl” halts all suspicious activities whenever a new user logs in, resuming its tasks only when the server is idle. This strategy, combined with its ability to delete its binary file after execution, allows perfctl to operate covertly as a background service, effectively minimizing its footprint and avoiding most conventional security scans.

The malware’s name, “perfctl” is a deliberate attempt to mimic legitimate Linux processes, blending in with native performance monitoring and control tools such as „perf”, „systemctl”, and „timedatectl”, making it harder for system administrators to spot anomalous activity. The campaign, originally identified by Cado Security, showed that perfctl exploits the well-known „Polkit” vulnerability, CVE-2021-4034, also known as „PwnKit”, to elevate privileges on compromised servers. This privilege escalation enables the malware to install a cryptocurrency miner, named „perfcc”, and execute further malicious operations.

Perfctl’s deployment method begins with a breach via vulnerable Apache RocketMQ instances or open Selenium Grid setup, which are often exposed to the internet. Upon successful infiltration, the malware downloads a payload identified as „httpd”, named to appear as a standard HTTP process. After execution, „perfctl” copies itself to the `/tmp` directory, launches the new binary, and terminates its original instance to prevent detection. To cover its tracks, the malware deletes the initial binary and renames itself to blend seamlessly with typical system processes.

Perfctl’s capabilities extend beyond cryptocurrency mining. In some instances, the malware downloads and executes proxyjacking software from a remote server, allowing attackers to hijack network bandwidth to facilitate additional anonymous network activities. To maintain stealth, „perfctl” deploys a rootkit, effectively masking both the mining and proxyjacking processes. This rootkit alters process lists and hides indicators of compromise from monitoring tools, thus evading traditional detection methods.

To counter the risks associated with perfctl, security researchers emphasize the importance of proactive system management, including regular updates to close known vulnerabilities like CVE-2021-4034. Disabling unused services, enforcing Role-Based Access Control (RBAC), implementing network segmentation, and restricting file execution are recommended best practices to safeguard systems. Notably, administrators should monitor servers for unusual CPU spikes or slowdowns, as these are often telltale signs of resource-intensive mining operations, especially if performance anomalies occur during non-peak usage times.

Perfctl’s advanced evasion techniques and persistence mechanisms serve as a critical reminder for organizations to maintain rigorous security practices and invest in proactive detection strategies. As malware continues to grow in sophistication, comprehensive security measures will remain essential in protecting Linux server environments from evolving threats.

LockBit Ransomware and Evil Corp Affiliates Arrested in Major International Crackdown

Businesses and governments can breathe a sigh of relief as a coordinated international law enforcement effort has led to significant disruptions in global ransomware activity, including the LockBit (Bitwise Spider) operation, culminating in four arrests and the dismantling of nine command-and-control servers linked to the notorious group. These actions mark a significant strike against one of the most prolific ransomware groups in recent years.

Europol confirmed the arrests, which include a suspected LockBit developer detained in France while on holiday, two individuals in the U.K. believed to support a LockBit affiliate, and an administrator of a bulletproof hosting service in Spain used to facilitate ransomware operations. These apprehensions represent a multinational sweep coordinated through “Operation Cronos,” an alliance that includes the United States, U.K., and EU member states, aiming to curtail ransomware operators’ reach and influence globally.

In tandem with these arrests, authorities revealed the identity of Aleksandr Ryzhenkov, a Russian national linked to Evil Corp, a long-standing cybercrime group associated with multiple high-profile financial and data-theft operations since 2014. Ryzhenkov, also known by the aliases Beverley, Corbyn_Dallas, and Kotosel, is now publicly identified as a key player within Evil Corp and a LockBit affiliate. Sanctions were simultaneously imposed on seven individuals and two entities affiliated with these criminal networks, further tightening restrictions on their operations.

“The United States, in close coordination with our allies and partners, will continue to expose and disrupt the criminal networks that seek profit from the pain and suffering of their victims,” stated Bradley T. Smith, Acting Under Secretary of the U.S. Treasury for Terrorism and Financial Intelligence. Smith underscored the unwavering commitment of the U.S. to dismantle the global ransomware ecosystem that has impacted numerous sectors, from healthcare to financial services.

This crackdown follows a year of intensified efforts against LockBit, beginning with the seizure of its infrastructure in early 2024. Additionally, authorities sanctioned Dmitry Yuryevich Khoroshev, believed to be the administrator behind the “LockBitSupp” persona. These actions signify ongoing pressures on criminal organizations that leverage ransomware as a business model.

Evil Corp, also known by aliases Gold Drake and Indrik Spider, has been central to the development and spread of Dridex (Bugat) malware, which targets financial institutions to facilitate unauthorized fund transfers. Previously sanctioned in 2019, Evil Corp circumvented restrictions by collaborating with LockBit and deploying other ransomware strains. Ryzhenkov, described by the U.K. National Crime Agency (NCA) as Yakubets’ right-hand man, allegedly used the alias Beverley to develop over 60 LockBit ransomware variants, demanding ransom sums totaling $100 million from victims.

Operation Cronos also implicated other key figures, including Ryzhenkov’s brother, Sergey Ryzhenkov, alias Epoch, linked to the deployment of BitPaymer ransomware across multiple sectors since mid-2017. The brothers’ activities were tracked and verified by CrowdStrike and other cybersecurity firms.

Notably, sanctions extended to family members of Evil Corp leadership, including Maksim Yakubets’ father, Viktor Yakubets, and his father-in-law, Eduard Benderskiy, a former high-ranking FSB official. The NCA revealed that Benderskiy’s close ties with the Russian government played a critical role in safeguarding Evil Corp’s activities, further illustrating the complex intersection of Russian cybercrime and state interests.

The sustained crackdown on LockBit and Evil Corp reflects a unified global commitment to dismantling cybercriminal infrastructures. However, officials warn that persistent vigilance remains crucial as cybercriminal groups continue to adapt their tactics in response to international countermeasures.

CUPS flaw can be used to amplify DDoS attacks

A newly disclosed vulnerability in the Common Unix Printing System (CUPS), an open-source printing system for Unix-like operating systems, presents a serious risk by enabling Distributed Denial-of-Service (DDoS) amplification attacks. This flaw, tracked as CVE-2024-47176, can be exploited to amplify DDoS traffic by up to 600 times, making it an attractive target for threat actors. This security issue was detailed by security researchers, who found that the vulnerability in the cups-browsed daemon can be leveraged to launch powerful DDoS attacks and even allows attackers to execute remote code on affected devices by sending a single, specially crafted UDP packet.

The attack works by exploiting a flaw where a CUPS server interprets incoming packets as requests to add printers. An attacker can send one malicious packet to a vulnerable CUPS server exposed to the internet, which then initiates a stream of larger Internet Printing Protocol (IPP), or HTTP requests directed at a target device. This misinterpreted request sequence consumes bandwidth and processing power on both the CUPS server and the target, resulting in amplified traffic that can overwhelm the target device. With an estimated 58,000 exposed and exploitable servers out of a sample of 198,000, this vulnerability has widespread potential for abuse, particularly in assembling botnets and conducting amplification-based DDoS attacks.

The report highlights an alarming discovery: some CUPS servers, running outdated versions as old as 2007, repeatedly initiated connections in response to an attacker’s initial probe. This behavior causes some servers to enter into a loop, generating an unending sequence of requests that consumes considerable network resources. This looping condition could potentially persist until the CUPS service is manually halted or restarted, posing a persistent risk of network congestion and system overload.

The implications of this vulnerability extend beyond CUPS servers. With minimal resources and almost no preparation, a threat actor could take control of multiple vulnerable CUPS servers simultaneously, initiating large-scale DDoS attacks across various industries. By exploiting this flaw, attackers can establish networks of compromised devices to deliver high-volume traffic, overwhelming targets with minimal input.

Admins are strongly advised to implement patches for CVE-2024-47176, which address the underlying issue in the CUPS daemon. If patching is not immediately feasible, temporarily disabling the cups-browsed service can mitigate exposure. Such proactive steps are essential to prevent unauthorized exploitation of CUPS servers in DDoS amplification attacks and protect organizational resources from potential disruptions.

“DDoS attacks continue to be a persistent threat, impacting entities from large enterprises and government bodies to online shops, gaming communities, and individual creators,” researchers warned.  “Although initial focus was on remote code execution, DDoS amplification in this case is also easily exploitable and could severely disrupt services.”

The threat is further underscored by recent data from Cloudflare, which recently reported mitigating a record-breaking DDoS attack that peaked at 3.8 terabits per second. As DDoS techniques grow increasingly sophisticated, addressing vulnerabilities like the one in CUPS is critical for maintaining the resilience and stability of the digital infrastructure.

This wraps up today’s issue. Wherever you are out there in the digital world just stay safe, install the latest patches and keep a watchful eye out for anything that might want to deceive you. Thank you so much for being a wanderer on The Cybersecurity Express and we look forward to welcoming you on board the next time.