• Cyber Syrup
  • Posts
  • Linux Servers The Newest Target of Malware

Linux Servers The Newest Target of Malware

Linux servers have become the target of a stealthy and persistent malware campaign involving a strain of malware known as "perfctl."

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Learn AI in 5 Minutes a Day

AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.

Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.

Linux Servers The Newest Target of Malware

Linux servers have become the target of a stealthy and persistent malware campaign involving a strain of malware known as "perfctl." The primary aim of this malware is to deploy a cryptocurrency miner and proxyjacking software, posing significant risks to server performance and security. The malware is particularly elusive, employing advanced techniques to avoid detection and remain active for extended periods.

Understanding the Vulnerability

Perfctl is a highly sophisticated malware designed to exploit vulnerabilities in Linux servers, with a key focus on running a cryptocurrency miner. It uses various techniques to blend in with legitimate system processes and hide its activities. One of its primary tactics is to halt all "noisy" activities when a new user logs into the server, lying dormant until the server is idle. This allows it to avoid detection and continue running in the background.

The attack chain begins with the exploitation of a known security flaw in Polkit (CVE-2021-4043, also known as PwnKit), which allows the malware to escalate its privileges to root access. Once this privilege is obtained, the malware drops a miner called "perfcc," which runs quietly in the background, mining cryptocurrency using the server's resources.

Perfctl takes its name from the Linux performance monitoring tool "perf" and the control command-line utilities (e.g., systemctl, timedatectl), making it harder for administrators to identify the malware among legitimate processes. The malware is designed to exploit vulnerable instances, such as Apache RocketMQ, and deliver payloads that are copied to different locations in the server's file system to further obfuscate its presence.

In addition to cryptocurrency mining, the malware can drop a rootkit to evade detection and retrieve proxyjacking software from a remote server, allowing the attackers to use the compromised server as part of a larger botnet.

Who is at Risk?

Organizations that run Linux servers, especially those exposed to the internet, are at significant risk. Servers running outdated software, unpatched security vulnerabilities, or weak access controls are prime targets for attackers deploying the perfctl malware. The following groups are particularly vulnerable:

  1. Web Hosting Providers: Hosting providers often run large numbers of Linux servers that are publicly accessible, making them attractive targets for attackers.

  2. Businesses with Internet-Facing Servers: Any organization that has Linux servers exposed to the internet, especially if they are running unpatched services or software, is at risk.

  3. Cloud Infrastructure Users: Businesses that rely on cloud services, especially those running vulnerable instances of Apache RocketMQ or similar services, are potential targets for these attacks.

  4. Administrators of Large Linux Environments: Organizations with complex Linux infrastructures may find it difficult to monitor every process, increasing the risk of malware going unnoticed.

How to Protect Yourself

Given the sophisticated nature of perfctl and its ability to evade detection, it is crucial to implement strong security practices to protect your Linux servers from this malware. Here are key steps to safeguard your systems:

1. Apply Security Patches and Updates

Ensure that all software, including the operating system and any installed applications, is up-to-date. This includes patching known vulnerabilities such as the Polkit (CVE-2021-4043) flaw that perfctl exploits. Regularly updating your systems will help reduce the attack surface and prevent attackers from exploiting known weaknesses.

2. Monitor Unusual Server Behavior

Watch for unusual spikes in CPU usage or significant slowdowns in server performance, especially during idle times. These could be indicators of cryptocurrency mining activities or other malicious processes running in the background. Implement monitoring tools that can alert you to such anomalies.

3. Restrict File Execution and Disable Unused Services

Limit file execution privileges to essential users and processes. Disabling unused services can minimize the number of potential entry points for attackers. Additionally, limiting file system access to only trusted users can prevent malware from spreading and executing on your servers.

4. Implement Network Segmentation

Segment your network to restrict access to critical infrastructure. By separating high-value systems from lower-priority ones, you reduce the potential damage an attacker can cause if they manage to breach a system.

5. Use Role-Based Access Control (RBAC)

Implement Role-Based Access Control to limit access to sensitive files and processes. This can prevent malware from escalating privileges and gaining unauthorized access to critical resources on your server.

6. Scan for Malware Regularly

Regularly scan your servers for signs of malware using reputable security tools. Consider using tools specifically designed to detect rootkits and other evasive malware strains. Automated scans can help identify infections before they cause significant damage.

Conclusion

The perfctl malware campaign demonstrates the increasing sophistication of attacks targeting Linux servers. By exploiting known vulnerabilities and using advanced evasion techniques, perfctl poses a serious threat to organizations that run Linux-based infrastructure. To mitigate these risks, it's crucial to apply security patches, monitor server activity, restrict access, and implement strong security controls across your systems. By taking these precautions, organizations can better defend themselves against this and other emerging malware threats.