{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/linux-operating-system/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux operating system"],"_cs_severities":["high"],"_cs_tags":["persistence","linux","dynamic-linker","shared-object"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eThis brief addresses a persistence technique where attackers copy the Linux dynamic linker binary (ld-linux-x86-64.so.2) and subsequently create or modify shared object files (.so), often after modifying \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e.  This activity has been observed in Linux malware campaigns, where attackers aim to inject and preload malicious shared objects.  The dynamic linker is a crucial component for loading shared libraries, making it a valuable target for attackers seeking to establish persistence and execute malicious code. Recent malware, such as Orbit, has used this technique, making it critical to detect this behavior. The detection focuses on identifying processes involved in copying the dynamic linker, modifications to \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e, and the creation of suspicious shared object files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, possibly through exploitation of a vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecp\u003c/code\u003e, \u003ccode\u003ersync\u003c/code\u003e, or \u003ccode\u003emv\u003c/code\u003e to create a backup copy of the dynamic linker (\u003ccode\u003e/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\u003c/code\u003e, \u003ccode\u003e/lib64/ld-linux-x86-64.so.2\u003c/code\u003e, \u003ccode\u003e/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\u003c/code\u003e, or \u003ccode\u003e/usr/lib64/ld-linux-x86-64.so.2\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the original dynamic linker binary to inject malicious code or alter its functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a shared object (.so) file containing malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e file to include the path to the malicious shared object. This ensures that the malicious shared object is loaded by every program that uses the dynamic linker.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a program that relies on the dynamic linker, triggering the loading of the malicious shared object.\u003c/li\u003e\n\u003cli\u003eThe malicious shared object executes its payload, potentially leading to code execution, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the malicious shared object continues to be loaded on system startup or during regular program execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack allows the attacker to achieve persistence on the compromised Linux system. This can lead to long-term control over the system, allowing the attacker to steal sensitive data, install backdoors, or use the system as a launching point for further attacks within the network. The Intezer report referenced in the brief highlights the use of this technique by the Orbit malware, demonstrating its real-world impact. The targeted sectors can be broad, depending on the attacker's objectives, and can include any organization relying on Linux systems for critical infrastructure or sensitive data storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;Dynamic Linker Copy and Shared Object Creation\u0026quot; Sigma rule to your SIEM to detect suspicious file copy operations and shared object creation activities.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e file modifications using a file integrity monitoring (FIM) system and correlate with process creation events related to \u003ccode\u003ecp\u003c/code\u003e, \u003ccode\u003ersync\u003c/code\u003e, and \u003ccode\u003emv\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to capture the full command executed by processes like \u003ccode\u003ecp\u003c/code\u003e, \u003ccode\u003ersync\u003c/code\u003e, and \u003ccode\u003emv\u003c/code\u003e. This will help identify cases where the dynamic linker is being targeted.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule and analyze the involved processes, files, and user accounts to determine if malicious activity is present. Reference the investigation steps in the rule's \u003ccode\u003enote\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of shared objects (.so files) in unusual directories and correlate these events with modifications to \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-dynamic-linker-copy/","summary":"This brief outlines detection strategies for Linux systems where the dynamic linker binary is copied and a shared object file is created, a technique used by malware to inject malicious shared objects by patching the dynamic linker.","title":"Linux Dynamic Linker Copy and Shared Object Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-dynamic-linker-copy/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux Operating System"],"_cs_severities":["medium"],"_cs_tags":["defense_evasion","symlink","linux"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eThis threat brief addresses a potential defense evasion technique observed on Linux systems. An attacker may create symbolic links (symlinks) of commonly used system binaries, such as \u003ccode\u003esh\u003c/code\u003e, \u003ccode\u003ebash\u003c/code\u003e, or \u003ccode\u003evi\u003c/code\u003e, into world-writable directories like \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/var/tmp\u003c/code\u003e. This allows the attacker to execute commands with the permissions of the linked binary or use them to bypass security restrictions. The goal is to execute code by masquerading as a trusted process, potentially evading detection by security tools relying on path-based whitelisting or integrity checks. This technique can be used to achieve persistence or escalate privileges. While the original source is a detection rule repository, this brief focuses on detecting the symlink creation itself.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system via an exploit or compromised credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies world-writable directories such as \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e, or \u003ccode\u003e/dev/shm\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies commonly used system binaries such as \u003ccode\u003e/bin/sh\u003c/code\u003e, \u003ccode\u003e/bin/bash\u003c/code\u003e, or \u003ccode\u003e/usr/bin/vi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a symbolic link of a system binary in a world-writable directory using the \u003ccode\u003eln -s\u003c/code\u003e command. For example: \u003ccode\u003eln -s /bin/sh /tmp/sh\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the symlink in the writable directory. For example: \u003ccode\u003e/tmp/sh -c \u0026quot;malicious_command\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command executes with the privileges of the linked binary, potentially bypassing security restrictions or whitelisting rules.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this foothold to further compromise the system, escalate privileges, or establish persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using this technique can lead to privilege escalation, persistence, and potentially complete system compromise. By creating symbolic links to system binaries in world-writable directories, attackers can bypass security measures and execute malicious code with elevated privileges. While the number of affected systems is not specified in the source, the technique is applicable to any Linux system with world-writable directories and standard system binaries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;Detect Suspicious Symlink Creation in Writable Directories\u0026quot; Sigma rule to your SIEM and tune for your environment to detect the initial creation of malicious symlinks.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on system binaries and world-writable directories to detect unauthorized modifications, including the creation of symbolic links.\u003c/li\u003e\n\u003cli\u003eImplement access controls to restrict write access to critical system directories and binaries.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules and FIM regarding symlink creation in world-writable directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-symlink-defense-evasion/","summary":"An adversary may create symbolic links of legitimate system binaries in world-writable directories to potentially bypass security restrictions or execute malicious code with elevated privileges by masquerading as a trusted process.","title":"Potential Defense Evasion via Symbolic Link of Common Linux Binaries to Writable Directories","url":"https://feed.craftedsignal.io/briefs/2024-01-03-symlink-defense-evasion/"}],"language":"en","title":"CraftedSignal Threat Feed - Linux Operating System","version":"https://jsonfeed.org/version/1.1"}