<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Linux Operating System - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/linux-operating-system/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/linux-operating-system/feed.xml" rel="self" type="application/rss+xml"/><item><title>Linux Dynamic Linker Copy and Shared Object Creation</title><link>https://feed.craftedsignal.io/briefs/2024-01-dynamic-linker-copy/</link><pubDate>Tue, 09 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-dynamic-linker-copy/</guid><description>This brief outlines detection strategies for Linux systems where the dynamic linker binary is copied and a shared object file is created, a technique used by malware to inject malicious shared objects by patching the dynamic linker.</description><content:encoded><![CDATA[<p>This brief addresses a persistence technique where attackers copy the Linux dynamic linker binary (ld-linux-x86-64.so.2) and subsequently create or modify shared object files (.so), often after modifying <code>/etc/ld.so.preload</code>.  This activity has been observed in Linux malware campaigns, where attackers aim to inject and preload malicious shared objects.  The dynamic linker is a crucial component for loading shared libraries, making it a valuable target for attackers seeking to establish persistence and execute malicious code. Recent malware, such as Orbit, has used this technique, making it critical to detect this behavior. The detection focuses on identifying processes involved in copying the dynamic linker, modifications to <code>/etc/ld.so.preload</code>, and the creation of suspicious shared object files.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Linux system, possibly through exploitation of a vulnerability or compromised credentials.</li>
<li>The attacker uses <code>cp</code>, <code>rsync</code>, or <code>mv</code> to create a backup copy of the dynamic linker (<code>/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2</code>, <code>/lib64/ld-linux-x86-64.so.2</code>, <code>/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2</code>, or <code>/usr/lib64/ld-linux-x86-64.so.2</code>).</li>
<li>The attacker modifies the original dynamic linker binary to inject malicious code or alter its functionality.</li>
<li>The attacker creates or modifies a shared object (.so) file containing malicious code.</li>
<li>The attacker modifies the <code>/etc/ld.so.preload</code> file to include the path to the malicious shared object. This ensures that the malicious shared object is loaded by every program that uses the dynamic linker.</li>
<li>The attacker executes a program that relies on the dynamic linker, triggering the loading of the malicious shared object.</li>
<li>The malicious shared object executes its payload, potentially leading to code execution, privilege escalation, or data exfiltration.</li>
<li>The attacker maintains persistence by ensuring the malicious shared object continues to be loaded on system startup or during regular program execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of this attack allows the attacker to achieve persistence on the compromised Linux system. This can lead to long-term control over the system, allowing the attacker to steal sensitive data, install backdoors, or use the system as a launching point for further attacks within the network. The Intezer report referenced in the brief highlights the use of this technique by the Orbit malware, demonstrating its real-world impact. The targeted sectors can be broad, depending on the attacker's objectives, and can include any organization relying on Linux systems for critical infrastructure or sensitive data storage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;Dynamic Linker Copy and Shared Object Creation&quot; Sigma rule to your SIEM to detect suspicious file copy operations and shared object creation activities.</li>
<li>Monitor <code>/etc/ld.so.preload</code> file modifications using a file integrity monitoring (FIM) system and correlate with process creation events related to <code>cp</code>, <code>rsync</code>, and <code>mv</code>.</li>
<li>Enable process monitoring with command-line argument logging to capture the full command executed by processes like <code>cp</code>, <code>rsync</code>, and <code>mv</code>. This will help identify cases where the dynamic linker is being targeted.</li>
<li>Investigate any alerts triggered by the Sigma rule and analyze the involved processes, files, and user accounts to determine if malicious activity is present. Reference the investigation steps in the rule's <code>note</code> field.</li>
<li>Monitor for the creation of shared objects (.so files) in unusual directories and correlate these events with modifications to <code>/etc/ld.so.preload</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>persistence</category><category>linux</category><category>dynamic-linker</category><category>shared-object</category></item><item><title>Potential Defense Evasion via Symbolic Link of Common Linux Binaries to Writable Directories</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-symlink-defense-evasion/</link><pubDate>Wed, 03 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-symlink-defense-evasion/</guid><description>An adversary may create symbolic links of legitimate system binaries in world-writable directories to potentially bypass security restrictions or execute malicious code with elevated privileges by masquerading as a trusted process.</description><content:encoded><![CDATA[<p>This threat brief addresses a potential defense evasion technique observed on Linux systems. An attacker may create symbolic links (symlinks) of commonly used system binaries, such as <code>sh</code>, <code>bash</code>, or <code>vi</code>, into world-writable directories like <code>/tmp</code> or <code>/var/tmp</code>. This allows the attacker to execute commands with the permissions of the linked binary or use them to bypass security restrictions. The goal is to execute code by masquerading as a trusted process, potentially evading detection by security tools relying on path-based whitelisting or integrity checks. This technique can be used to achieve persistence or escalate privileges. While the original source is a detection rule repository, this brief focuses on detecting the symlink creation itself.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the system via an exploit or compromised credentials (not detailed in source).</li>
<li>The attacker identifies world-writable directories such as <code>/tmp</code>, <code>/var/tmp</code>, or <code>/dev/shm</code>.</li>
<li>The attacker identifies commonly used system binaries such as <code>/bin/sh</code>, <code>/bin/bash</code>, or <code>/usr/bin/vi</code>.</li>
<li>The attacker creates a symbolic link of a system binary in a world-writable directory using the <code>ln -s</code> command. For example: <code>ln -s /bin/sh /tmp/sh</code>.</li>
<li>The attacker executes the symlink in the writable directory. For example: <code>/tmp/sh -c &quot;malicious_command&quot;</code>.</li>
<li>The command executes with the privileges of the linked binary, potentially bypassing security restrictions or whitelisting rules.</li>
<li>The attacker uses this foothold to further compromise the system, escalate privileges, or establish persistence.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack using this technique can lead to privilege escalation, persistence, and potentially complete system compromise. By creating symbolic links to system binaries in world-writable directories, attackers can bypass security measures and execute malicious code with elevated privileges. While the number of affected systems is not specified in the source, the technique is applicable to any Linux system with world-writable directories and standard system binaries.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;Detect Suspicious Symlink Creation in Writable Directories&quot; Sigma rule to your SIEM and tune for your environment to detect the initial creation of malicious symlinks.</li>
<li>Enable file integrity monitoring (FIM) on system binaries and world-writable directories to detect unauthorized modifications, including the creation of symbolic links.</li>
<li>Implement access controls to restrict write access to critical system directories and binaries.</li>
<li>Investigate any alerts generated by the Sigma rules and FIM regarding symlink creation in world-writable directories.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>defense_evasion</category><category>symlink</category><category>linux</category></item></channel></rss>