Security News > 2020 > August > This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit
The NSA and FBI are sounding the alarm over a dangerous new strain of Linux malware being employed by Russian government hackers often dubbed the Fancy Bear crew.
Uncle Sam explicitly said on Thursday the miscreants - formally known as the 85th Main Special Service Center - operate within the Russian intelligence directorate, aka the GRU. The software nasty in question is Drovorub, a rootkit designed to infect Linux systems, take control of them, and siphon off files.
"When deployed on a victim machine, the Drovorub implant provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as root; and port forwarding of network traffic to other hosts on the network," the NSA and FBI said in their detailed teardown [PDF] of the malware.
The Drovorub-kernel module poses a challenge to large-scale detection .... While the FBI and NSA didn't discuss this aspect of the operation, the Fancy Bear crew tends to work on extremely high-value areas that the Kremlin has an interest in - things like foreign governments, technology blueprints, commercial deals, and compromising information aka kompromat.
These steps alone won't protect you against the spear-phishing techniques and zero-day vulnerabilities Fancy Bear uses to get Drovorub onto networks in the first place.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/08/13/drovorub_nsa_fbi/
Related news
- China’s infosec leads accuse Intel of NSA backdoor, cite chip security flaws (source)
- FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 (source)
- Deepen your knowledge of Linux security (source)
- Oracle Linux 9 Update 5 brings security updates, OpenJDK 17, .NET 9.0 (source)
- 'Alarming' security bugs lay low in Linux's needrestart server utility for 10 years (source)