Security News > 2020 > August > This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit

This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit
2020-08-13 23:48

The NSA and FBI are sounding the alarm over a dangerous new strain of Linux malware being employed by Russian government hackers often dubbed the Fancy Bear crew.

Uncle Sam explicitly said on Thursday the miscreants - formally known as the 85th Main Special Service Center - operate within the Russian intelligence directorate, aka the GRU. The software nasty in question is Drovorub, a rootkit designed to infect Linux systems, take control of them, and siphon off files.

"When deployed on a victim machine, the Drovorub implant provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as root; and port forwarding of network traffic to other hosts on the network," the NSA and FBI said in their detailed teardown [PDF] of the malware.

The Drovorub-kernel module poses a challenge to large-scale detection .... While the FBI and NSA didn't discuss this aspect of the operation, the Fancy Bear crew tends to work on extremely high-value areas that the Kremlin has an interest in - things like foreign governments, technology blueprints, commercial deals, and compromising information aka kompromat.

These steps alone won't protect you against the spear-phishing techniques and zero-day vulnerabilities Fancy Bear uses to get Drovorub onto networks in the first place.


News URL

https://go.theregister.com/feed/www.theregister.com/2020/08/13/drovorub_nsa_fbi/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232
NSA 2 0 2 7 5 14