💾 Archived View for dioskouroi.xyz › thread › 29368511 captured on 2021-11-30 at 20:18:30. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
________________________________________________________________________________
Dunno how stealthy this is given that masses of base-64 garbage you didn't put into a crontab seems like a pretty big red flag.
I think the idea is that various Linux endpoint protection products don't look there.
That seems like an obvious oversight. This is a well known and widely used malware technique.
https://attack.mitre.org/techniques/T1053/003/
When's the last time you checked yours, before this story?
I don't get it. If they are hidden within valid but never occurring crontab dates then they don't get executed. What am I missing?
> The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding.
The actual malware uses the task name from these "never occurring crontab". The invalid date is just a kind of signature.
anacron can run entries that are past their due date.
...after reading: but also because one entry has a valid "every 30 minutes" specification :) and the rest are only used for storage.
Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface
What's the entry point for such a RAT? Does it scan for vulns in the server and plant itself there, or what? Article is lacking explanation of how a Linux e-commerce backend actually gets comp'd.
Running outdated web applications with vulnerabilities I suppose.
One of thousands of unpatched (either at the sysops level, or the distro level) kernel RCE vulns.
I thought that. "criminals capitalize on the unprotected back-end" is a bit vague though. An exposé of the actual vulnerability would make this write-up even better, but I imagine the company doesn't want to discuss that for obvious reasons.
Throw a dart:
https://www.cvedetails.com/vulnerability-list.php?vendor_id=...
In the run-up to Black Friday, Sansec discovered a sophisticated threat that is packed with never-seen stealth techniques. This malware, dubbed “CronRAT”, hides in the Linux calendar system on February 31st. It is not recognized by other security vendors and is likely to stay undetected on critical infrastructure for the coming months.
For years I've heard people saying: "People is not as used as windows, that's why nobody is interested in writing virus for linux." Turns out that considering the number of "embedded" linux these days, linux is probably much more popular than any other OS. Consider android devices, smart tv, routers... all these are devices that are directly in touch with the end users. The fact that these have been nowhere near as annoying as windows devices is a testament to how seriously developers and vendors have been taking security and also a bit of luck and the heritage of some unix ideas.
Of course, most high profile linux use are on servers. So it is expected that these systems are preferred targets. But considering all that, if you look closely at how some linux users, distributors and vendors behave, it seems like they are in another world. Security is mostly ignored as if linux was somehow magically free from vulnerabilities simply because you're using a package manager and mostly no extra security action is taken.
Maybe linux users and sysadmins became lazy or lax for the long years of a perceived security calmness. They will probably need a few incidents before learning some lessons from the windows crowd.
> They will probably need a few incidents before learning some lessons from the windows crowd.
Hum, thank-you but no. The lessons the Windows crowd learned are mostly bullshit, officialized due to people's helplessness and total lack of any reasonable alternative.
Linux people are very serious about things like supply-chain verification, auditable software, and machine activity monitoring. All actions with viable engineering principles and real impact, differently from the "you need to install an antivirus" insanity.
> Linux people are very serious about things like supply-chain verification, auditable software, and machine activity monitoring. All actions with viable engineering principles and real impact, differently from the "you need to install an antivirus" insanity.
Some sysadmins, sure, but definitely not all. Seriously, there are a lot of CentOS/RHEL 6 and below or Debian 8 and below running PHP 5.x that are still live on the internet, with vulnerabilities and all _that have been fixed in that specific version_. Saying that _all_ Linux-based people care about security is ignorant of one-click offerings from various hosting sites, and those who don't care if they're running Linux or Windows in the name of hosting a site.
I think the parent commenter was making an interesting point which is that linux users are bifurcated:
1. The group you described (conscientious sysadmins)
and
2. IOT vendors throwing Linux on devices without thought to updates and security.
You seem to misunderstand the threat model of the average Linux device. Linux only becomes as vulnerable as Windows when you _use_ it like Windows, and for the vast majority of use cases that is certainly not how it's treated. The average Linux device is either an Android phone with a completely different, sandbox and permission-based threat model, or a purpose-built machine that runs a handful of off-the-shelf software that can be assumed as reasonably secure. As such, the majority of exploits on Linux simply stem from misconfiguration. Luckily for attackers, the learning curve of a modern Unix machine is fairly steep, so they can count on a reasonable degree of oblivious behavior, such as not locking down your crontab to specific users/cgroups.
Windows is insecure because it's "shopping spree" method of software management is inherently unsafe. At least desktop Linux enforces integrity protection when you're downloading software from your package manager, and gives you sandboxing options (albeit not very good ones) to further mitigate security concerns. Failing that, it gives people the option of using ludicrously secure systems like Tails, Whonix and Qubes, which would really be impossible with how Windows is set up.
Absolutely, who _cannot_ see the manufacturer of a $59.95 router build in a $40/year antivirus service.
At Cronitor we scan your crontab files when you install the service and I’m thinking we should add a check for this kind of thing.
In which year does February have 31 days?
I had to check in case it had actually ever occurred, since I had recently read about 30 February existing for reals:
https://www.timeanddate.com/date/february-30.html
It looks like there has never been a real 31 February.