New Linux Malware Exploits Udev Rules
- SISA Weekly Threat Watch - September 2, 2024
In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery of the stealthy Linux malware ‘sedexp’ exploiting udev rules, the PEAKLIGHT dropper spreading malware through pirated movie downloads, a critical remote code execution vulnerability (CVE-2024-6386) in the WPML WordPress plugin, threat actors exploiting a Confluence vulnerability (CVE-2023-22527) for illegal cryptocurrency mining, and the Qilin ransomware strain targeting VPNs and Chrome credentials. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Sedexp: The Stealthy Linux Malware Exploiting udev Rules
The Linux malware ‘sedexp’ has been active since 2022, leveraging a persistence technique involving udev rules that is not yet documented in the MITRE ATT&CK framework. Discovered by a cybersecurity researcher, this malware exploits udev, which manages device nodes in the /dev directory, to gain persistence on compromised systems. It adds a malicious rule targeting /dev/random, a system component used as a random number generator, ensuring frequent execution of its script ‘asedexpb’ during system boot. This stealthy approach allows ‘sedexp’ to blend in with legitimate processes, evade security solutions, and maintain control over infected devices.
‘Sedexp’ employs various advanced techniques to evade detection, including process name masquerading by naming its process ‘kdevtmpfs’, mimicking legitimate system processes, and using reverse shell setups to grant remote access to attackers. The malware also manipulates memory to hide files containing the string “sedexp” from standard commands like ls or find, complicating detection. Analysis suggests ‘sedexp’ has been used for financially motivated attacks, such as deploying credit card scraping code on compromised web servers. Despite its presence in multiple online sandboxes, it remains largely undetected by antivirus engines. Recommendations to reduce impact of this malware include enhancing ‘udev’ rule monitoring to detect unauthorized changes, regularly updating security definitions to catch hidden threats, implementing host-based intrusion detection systems (HIDS) to monitor suspicious activities.
2. PEAKLIGHT: New Dropper Exploit Delivers Malware via Pirated Movie Downloads
Researchers have uncovered a new dropper called PEAKLIGHT that uses PowerShell-based malware to infect Windows systems, primarily distributed through pirated movie downloads. PEAKLIGHT delivers malware strains like Lumma Stealer, Hijack Loader, and CryptBot via a multi-stage attack chain. The attack begins when users download a Windows shortcut (LNK) file disguised as a pirated movie, often hidden within a ZIP archive. This LNK file connects to a CDN hosting an obfuscated JavaScript dropper, which runs the PEAKLIGHT PowerShell script to contact a C2 server and execute additional malware payloads.
The dropper is capable of embedding hex-encoded and Base64-encoded PowerShell payloads, unpacking them to deploy malware. Researchers noted that the attack chains often involve LNK files using wildcards to trigger mshta.exe, which discreetly runs malicious code. This campaign highlights the persistent risk of malware distribution through pirated content.
Recommendations to mitigate this threat include avoiding downloading pirated content or software from untrusted sources, ensuring antivirus and anti-malware solutions are up to date to detect PowerShell-based threats, educating users on the dangers of downloading files from unreliable websites, especially those offering pirated content.
3. CVE-2024-6386: Flaw in WPML WordPress Plugin Enables Remote Code Execution
A critical vulnerability (CVE-2024-6386) in the WPML WordPress multilingual plugin allows authenticated users with Contributor-level access or higher to execute arbitrary code remotely due to inadequate input validation, particularly in handling shortcodes for content like audio, images, and videos. This flaw, which stems from unsanitized input in the plugin’s use of Twig templates, enables server-side template injection (SSTI), allowing attackers to execute arbitrary commands and potentially take full control of affected websites. All versions prior to WPML 4.6.13 are vulnerable.
Recommendations to mitigate include upgrading to WPML version 4.6.13 or later immediately, restricting contributor-level access to only trusted users and implement additional input validation and sanitization measures, and regularly monitor server and website logs for unusual activity related to shortcode usage to detect potential exploitation attempts.
4. Threat Actors Exploit Confluence Vulnerability for Crypto Mining Operations
Threat actors are exploiting a critical vulnerability (CVE-2023-22527) in Atlassian Confluence Data Center and Confluence Server to conduct illegal cryptocurrency mining using XMRig on exposed systems. This flaw, which was patched in January 2024, allows unauthenticated attackers to execute remote code. Exploitation surged between June and July 2024, with attackers deploying shell scripts and miners that target SSH endpoints, terminating competing cryptojacking operations, and establishing persistence through cron jobs.
At least three threat actors are involved, with one using ELF payloads to deploy XMRig, while another employs shell scripts to remove competing miners, uninstall security tools, and set up cron jobs for continuous mining activity. This ongoing exploitation highlights the need for urgent security measures.
Recommendations to mitigate include updating all Confluence instances to the latest version addressing CVE-2023-22527, regularly review and monitor systems for unauthorized cron jobs, shell scripts, and other suspicious activities, especially on SSH endpoints, implementing advanced security tools to detect and block cryptocurrency mining activities and secure SSH access with strong authentication and restricted IP access.
5. New Qilin Ransomware Strain Targets VPNs and Chrome Credentials
Threat actors involved in a recent Qilin ransomware attack have combined credential theft with ransomware infection, stealing credentials stored in Google Chrome browsers from compromised endpoints. According to researchers, this tactic represents a significant and potentially far-reaching threat. The attack began with Qilin exploiting compromised VPN credentials lacking multi-factor authentication (MFA), allowing them to gain access and remain dormant for 18 days, likely mapping the network and conducting reconnaissance.
After this period, Qilin moved laterally to a domain controller and used Group Policy Objects (GPOs) to deploy a PowerShell script (‘IPScanner.ps1’) across the domain, stealing Chrome-stored credentials. The stolen data was exfiltrated to Qilin’s command and control server, and local evidence was erased to cover their tracks. Qilin then deployed ransomware across the domain using another GPO and batch file (‘run.bat’), encrypting data on all compromised machines. The widespread credential theft could lead to additional breaches and complicate response efforts.
Recommendations to mitigate this threat include implementing MFA across all critical systems, especially VPNs, to prevent unauthorized access, enforcing strong credential management by prohibiting password storage in browsers like Chrome and promoting the use of encrypted password managers, applying network segmentation and the principle of least privilege to limit lateral movement and access within the network, and regularly monitor logs for unusual activity such as GPO changes or unauthorized script execution.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.