Linux Malware and Security, with Craig Rowland

In today's conversation, Craig Rowland joins us to talk about the often overlooked significance of Linux as a key part of global communications and computing infrastructure, and discuss various types threats targeting Linux systems.   Malware, attackers, and techniques are often very distinct from those seen on Windows; Craig shares insights all of these from his extensive experience both writing and reverse-engineering Linux malware. Craig is CEO of Sandfly Security, a New Zealand-based provider of Linux threat behavior scanning tools.  Full disclosure:  John Salomon is a paid consultant to Sandfly Security. Notes from the video: 03:48 I can't find a source for the 95% figure, but a 2023 ZDNet article says 90%, which seems to be the most common figure:  https://www.zdnet.com/article/linux-has-over-3-of-the-desktop-market-its-more-complicated-than-that/ 03:55 Percentage of top million websites running Linux is another interesting statistic, which seems to be well above 90%.  For example:  https://gitnux.org/linux-statistics/ 04:08 https://www.linuxinsider.com/story/the-flying-penguin-linux-in-flight-entertainment-systems-65541.html etc. etc. 05:54 France's Gendarmerie Nationale:  https://en.wikipedia.org/wiki/GendBuntu 06:40 https://www.zdnet.com/article/linux-not-windows-why-munich-is-shifting-back-from-microsoft-to-open-source-again/ 14:10 A propos, F5 has some interesting ways of using web shells as an attack vector:  https://www.f5.com/labs/learning-center/web-shells-understanding-attackers-tools-and-techniques 14:40 "attacks on kubernetes" is a fun web search string.  Same for "attacks on S3 buckets".  Enjoy. 14:56 https://redis.io/solutions/messaging/ 15:42 https://en.wikipedia.org/wiki/Patch_Tuesday 17:40 To be fair, Bob in Accounting is a pretty powerful entry point to the organization for various types of cyberattackers. 19:35 Mirai botnet:  https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/ 19:37 NoaBot:  https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining 20:35 Chroot (change root directory):  https://wiki.archlinux.org/title/chroot 27:42 PuTTY:  https://www.putty.org/ 29:45 There are several cryptojackers that try to neutralize competing malware, e.g. ChaosRAT https://www.trendmicro.com/en_th/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html or Jenkins https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner 35:30 For example LockBit:  https://www.akamai.com/blog/security/learning-from-the-lockbit-takedown 35:37 My mistake - AvosLocker is also a Linux port of Windows malware:  https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker - HiddenWasp may be a better example:  https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/hiddenwasp-malware-targets-linux-systems-borrows-code-from-mirai-winnti 35:42 Diamorphine LKM rootkit:  https://github.com/m0nad/Diamorphine 36:44 https://core.vmware.com/esxi - an example is ESXiArgs ransomware:  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a 38:42 Abuse.ch MalwareBazaar:  https://bazaar.abuse.ch/ 38:49 Fraunhofer FKIE Malpedia:  https://malpedia.caad.fkie.fraunhofer.de 39:35 You could just run a Linux version of the virus aquarium:  https://xkcd.com/350/ 39:52 A few examples of VM detection:  https://www.cynet.com/attack-techniques-hands-on/malware-anti-vm-techniques/ 41:15 Joe Sandbox:  https://www.joesandbox.com/ 42:10 No I won't, because I can't find it.  Bit of Baader-Meinhof going on there... 42:59 https://www.youtube.com/@SandflySecurity Craig on LinkedIn:  https://www.linkedin.com/in/craighrowland/ Sandfly Security:  https://sandflysecurity.com Check out the rest of CyAN's media channels on https://cybersecurityadvisors.network/media - and visit us at https://cybersecurityadvisors.network Intro/outro music courtesy of Studio Kolomna via Pixabay: https://pixabay.com/users/studiokolomna-2073170/ Original video available at https://youtu.be/W-7edx7Le6Y?si=NOoOy1kF3KiVOPUe

There are no comments yet.

Please log in to write the first comment.