Keith via plug on 13 May 2022 09:26:18 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] BPFdoor malware, Ubuntu kernel, Zyxel patch


On 5/13/22 11:48, jeffv via plug wrote:
BPFdoor: Stealthy Linux malware bypasses firewalls for remote access

https://www.bleepingcomputer.com/news/security/bpfdoor-stealthy-linux-malware-bypasses-firewalls-for-remote-access/

BPFdoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device.

The malware does not need to open ports, it can’t be stopped by firewalls, and can respond to commands from any IP address on the web

????

Their wording isn't quite right...

"BPFdoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device.  The malware does not need to open ports, it can’t be stopped by firewalls, and can respond to commands from any IP address on the web, making it the ideal tool for corporate espionage and persistent attacks."

Apparently this malware get around the LOCAL firewall by using a BPF process to sniff for "magic" packets.  That's all well and good but a "proper" (my word) firewall- at least in the physical analogue is placed at your network border and [hopefully] is just a service unit (i.e. no user accounts) with at most out-of-band access.  That's the firewall that is going to first decide if something gets in so if an internally compromised box opens things up, it won't matter.  It's fine to run local firewalls but everyone should have at least a "proper" firewall at their network border.  I run both to help mitigate direct ingress attacks like this.

So, if "BPFdoor is a passive backdoor, meaning that it can listen on one or more ports for incoming packets from one or more hosts, that attackers can use to send commands remotely to the compromised network." is the attack method, that can be stopped by the firewall at the network border.

Only the services that are used should be allows in which would mitigate some risk with this one.  The risks of "magic" packets are not new especially with ICMP or UDP.  Personally, I recommend turning off ICMP since there are other ways to check to see if a service is up externally.  Its still a serious attack vector if you're on a system that is publicly accessible because traffic is forwarded to it.


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Managing Member, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug