Security News

Flawed encryption logic used in Cl0p ransomware's Linux variant has allowed SentinelOne researchers to create and release a free decryptor. "The [Cl0p] Windows variant encrypts the generated RC4 key responsible for the file encryption using the asymmetric algorithm RSA and a public key. In the Linux variant, the generated RC4 key is encrypted with a RC4 [hardcoded] 'master-key'," the researchers explained.

The first-ever Linux variant of the Clop ransomware has been detected in the wild, but with a faulty encryption algorithm that has made it possible to reverse engineer the process. "The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom," SentinelOne researcher Antonis Terefos said in a report shared with The Hacker News.

The Clop ransomware gang is now also using a malware variant that explicitly targets Linux servers, but a flaw in the encryption scheme has allowed victims to quietly recover their files for free for months. Clop's Linux malware is also in early development, as it's still missing proper obfuscation and evasiveness mechanisms, and it is plagued by flaws that make it possible for victims to retrieve their files without paying the crooks any money.

Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines. The new Linux Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center, and is executed using the command line.

Organizations using Microsoft's Defender for Endpoint will now be able to isolate Linux devices from their networks to stop miscreants from remotely connecting to them. Users can get to the device page of the Linux systems through the Microsoft 365 Defender portal, where they will see an "Isolate Device" tab in the upper right among other response actions.

Microsoft announced today that it added device isolation support to Microsoft Defender for Endpoint on onboarded Linux devices. Enterprise admins can manually isolate Linux machines enrolled as part of a public preview using the Microsoft 365 Defender portal or via API requests.

The attackers were focused on maintaining persistence on exploited devices by using the custom malware to patch the FortiOS logging processes so that specific log entries could be removed or to disable the logging process altogether. Yesterday, Mandiant published a report about a suspected Chinese espionage campaign leveraging the FortiOS flaw since October 2022 using a new 'BOLDMOVE' malware explicitly designed for attacks on FortiOS devices.

A new Linux malware downloader created using SHC has been spotted in the wild, infecting systems with Monero cryptocurrency miners and DDoS IRC bots. According to ASEC researchers, who discovered the attack, the SHC loader was uploaded to VirusTotal by Korean users, with attacks generally focused on Linux systems in the same country.

A new Linux malware developed using the shell script compiler has been observed deploying a cryptocurrency miner on compromised systems. "It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system," AhnLab Security Emergency Response Center said in a report published today.

The answer the second question - How to make Kali the best possible platform for training? - we work very closely with the OffSec content development team to find out what tools they are using for training, what sort of default environment works best for learners, and what we can do in Kali to support general education efforts. Surprisingly, even though Kali is built for advanced information security work, it is often the first Linux many users ever use.