[clug] New Linux server exploit "SprySOCKS"
sjenkin at canb.auug.org.au
Wed Sep 20 22:44:18 UTC 2023
A reminder that “Linux doesn’t get malware” isn’t true.
Advanced Persistent Threats are targeting Linux servers, here’s a new one.
Read the list of targets in the last piece, not just large Orgs
- if you’re a small or medium outfit, you’ll be targeted at some point.
Note the line:
"to conduct long-term espionage activities against its targets.”
“long-term” is 5+ years, hence “Persistent” in APT.
If you’re not already on top of cyber-security & actively monitoring
and defending your systems & networks, now is a good time to act.
Linux Threat Report:
Earth Lusca Deploys Novel SprySOCKS Backdoor in Attacks on Government Entities
19 Sep 2023
The threat actor Earth Lusca, linked to Chinese state-sponsored hacking groups,
has been observed utilizing a new Linux backdoor dubbed SprySOCKS to target government organizations globally.
As initially reported in January 2022 by Trend Micro,
Earth Lusca has been active since at least 2021 conducting cyber espionage campaigns
against public and private sector targets in Asia, Australia, Europe, and North America.
Their tactics include spear-phishing and watering hole attacks to gain initial access.
After breaching internet-facing systems by exploiting flaws in
Fortinet, GitLab, Microsoft Exchange, Telerik UI, and Zimbra software,
Earth Lusca uses web shells and Cobalt Strike to move laterally.
Chinese hackers have unleashed a never-before-seen Linux backdoor
SprySOCKS borrows from open source Windows malware and adds new tricks.
19 Sep 2023
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server
— a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus,
which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
18 Sep 2023
Earth Lusca is now aggressively targeting the public-facing servers of its victims.
Furthermore, we have seen them frequently exploiting server-based N-day vulnerabilities, including (but not limited to) the following:
[ Table 1 of CVE’s ]
Earth Lusca takes advantage of server vulnerabilities to infiltrate its victim’s networks,
after which it will deploy a web shell and install Cobalt Strike for lateral movement.
The group intends to exfiltrate documents and email account credentials,
as well as to further deploy advanced backdoors like ShadowPad and the Linux version of Winnti
to conduct long-term espionage activities against its targets.
Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
Our technical brief provides an in-depth look at Earth Lusca’s activities, the tools it employs in attacks, and the infrastructure it uses.
17 Jan 2022
Since mid-2021, we have been investigating a rather elusive threat actor called Earth Lusca t
hat targets organizations globally via a campaign
that uses traditional social engineering techniques such as spear phishing and watering holes.
The group’s primary motivation seems to be cyberespionage:
the list of its victims includes high value targets such as
government and educational institutions,
pro-democracy and human rights organizations in Hong Kong,
Covid-19 research organizations,
and the media,
However, the threat actor also seems to be financially motivated,
as it also took aim at gambling and cryptocurrency companies.
Steve Jenkin, IT Systems and Design
0412 786 915 (+61 412 786 915)
PO Box 38, Kippax ACT 2615, AUSTRALIA
mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
More information about the linux