Security News > 2022 > May > BPFDoor malware uses Solaris vulnerability to get root privileges
New research into the inner workings of the stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems.
Cybersecurity company CrowdStrike has observed a threat actor that focused mainly on targeting Linux and Solaris systems using the custom-built BPFDoor implant on telecommunications providers to steal personal user information.
In a report today, the researchers provide details about how defenders can detect the BPFDoor implant and highlight techniques used across Solaris systems.
They note that once DecisiveArchitect gains access to a Solaris system, it achieves root-level permissions by exploiting CVE-2019-3010 - a vulnerability in the XScreenSaver component of the Solaris operating system.
CrowdStrike researchers note that on Solaris systems the threat actor uses the LD PRELOAD environmental variable to achieve functionality similar to the command-line spoofing seen on Linux hosts.
The lsof command in Linux will report the spoofed command line and can also help analysts list open files associated with a process ID. The commands for Solaris systems will loop through every process searching for strings indicating a process running with a packet filter and looking for processes that loaded the libpcap library.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-10-16 | CVE-2019-3010 | Unspecified vulnerability in Oracle Solaris 11 Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). | 8.8 |