The cold war started in 1947, leading to the race of nuclear weapons that might have ended in 1991, but the relations between the two world powers have never been friendly. The two nations never hesitate to trouble each other. But this time, the FBI has shown serious concerns regarding a Russian“wood cutter.” What is this woodcutter, and why is it a matter of concern for the USA?
The National Security Agency(NSA) and the Federal Bureau Of Investigation(FBI), the two top central agencies under the United States Of America, in their latest 39 pages long ‘SECURITY ADVISORY’ for the general public, has shown concern over a Russian malware named DROVORUB which translates to woodcutter in English.
Drovorub is a Linux malware developed by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). The organization works under the Russian government is engaged in different cyber-espionage programs around the world.
The malware is a combination of four tools: an implant coupled with a kernel module rootkit, a file transfer, and a port forwarding tool, and a command and control server popularly known as C2. The module rootkit applies various methods to hide, and even a full reboot of the infected machine cannot get rid of the malware unless the UEFI secure boot is enabled.
When deployed successfully, this malware is said to have the capability of direct communication with the actor-controlled C2 infrastructure, file upload and download, port forwarding of network traffic to other hosts on the network, and running of arbitrary commands as root.
Any FBI, NSA, US Army, or other organizations (public or private) and even individuals in America using Linux operating system are vulnerable to this Russian malware.
The aim is apparent. The Russian government wants to hack in the systems to get access of the confidential files, which might provide them an edge over the USA and naturally, the United States agencies need to stop it and hence have released a detailed advisory consisting the authentication processes to all the root commands, detecting as well as mitigation methods, configuration recommendation to help administrators and security experts to reduce the risk of compromise.
To prevent a system from being susceptible to hiding the virus, system administrators must update to Linux Kernel 3.7 or later. Secure booting in full or thorough mode is also likely to prevent malicious drovorub kernels from loading. Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system.
Apart from these practices focused on securing the Linux kernel, there are many practices one must follow to secure Linux includes-
- Backing up your system
- Limiting the root account usage
- Incorporate a least privilege policy
- Remove unused services and software
For detailed hardening guide visit here.