Linux administrators are on high alert after BlackBerry researchers announced five threat groups linked to the Chinese government have been successfully infiltrating and maintaining persistence on servers that comprise the backbone of the majority of large data centres using a newly-discovered Linux malware toolset.
“This ensemble, who have spent the better part of the last decade successfully targeting organizations in stealthy cross-platform attacks, continues to operate relatively undetected while undertaking multiple strategic and economic espionage operations,” according to a report from the researchers released Wednesday.
Because most threat researchers focus on Windows malware — not unexpected given the volume of it — there’s a low detection rate of Linux malware, the report says. But given the amount and age of the toolset, BlackBerry researchers argue this particular group of threat actors “has been wildly successful.”
Researchers have “high confidence” that the five “are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts. This reflects a highly agile government/contractor ecosystem with few of the bureaucratic or legal hurdles that can be observed in Western nations with similar capabilities and provide a level of plausible deniability for the Chinese government.”
BlackBerry has given each of the five groups code names but said they use an approach dubbed the Winnti technique after one of the groups, which was identified by Kaspersky in 2013. In fact, the report suggests four are offshoots of the original Winnti Group. The Winnti Group is responsible for high-profile supply-chain attacks against the software and video game industries. They’ve been active since 2012 and are also known for having compromised institutions in the healthcare and education sectors.
While traditionally their objectives are different, researchers indicate a “significant degree of co-ordination” between them, particularly when Linux platforms are targeted. “Any organization with a large Linux distribution should not assume they are outside of the target sets for any of these groups,” they added.
Targeting Red Hat Enterprise, CentOS, and Ubuntu Linux environments across a wide array of industry verticals, they are engaged in espionage and intellectual property theft. As most IT pros know, Linux is used in the backend systems, Web servers and database servers of many governments, major corporations, cloud providers and universities around the world. Developed to run on x86 servers but be more secure than Windows, the report suggests it has one possible weakiness: Its code is open source, giving attackers great knowledge of the operating system.
“In the attacks, BlackBerry observed the open Linux platform has enabled Chinese actors to develop backdoors, kernel rootkits, and online-build environments at a high level of complexity and specificity, with the end result being a toolset specifically designed to be harder to detect,” the report says. “Compounding low detection rates inherent in the malware design is the relative lack of coverage quality and features in malware detection solutions for Linux available on the market today.”
The newly-discovered Linux malware toolset includes two kernel-level rootkits that rendered executables extremely difficult to detect, making it “highly probable that the number of impacted organizations is significant.”
The five groups also distribute Windows malware. Originally they signed this malware with certificates stolen from video game companies; now they use certificates stolen from adware vendors. This tactic, which other attackers have also used, helps hide their malware in the high volume of innocuous adware alerts large organizations typically get on any given day, according to the report.
“What the attackers have done in donning the façade of adware is to directly target the psychology and methodology of blue team members to exploit inherent weaknesses in their assumptions. Alert fatigue is real, and adware is boring.”
And if that’s not enough, the 44-page report suggests researchers found evidence the five groups are also targeting Android devices. The groups now often host their malware on legitimate cloud services, “presenting a challenge to defenders’ assumptions regarding the monitoring of trusted network traffic within their organizations’ networks.”
“While much of the security industry continues to charge forward with efforts to address the next trendy buzzword threat, few are looking back in time to assure they have effectively solved for the issues presented by the last,” the report concludes. “Thus, some subtle changes in tactic and a new stolen code-signing certificate appear to be the only things necessary for these adversaries to continue evading security solutions.”
Download the full report here. Registration required.