Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
China Security IT Linux Technology

Chinese Cybercriminals Target High-Value Linux Servers With Weak Defenses: BlackBerry (techrepublic.com) 41

Linux malware is real and Advanced Persistent Threat (APT) groups have been infiltrating critical servers with these tools for at least eight years, according to a new report from BlackBerry. From a report: In "Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android," security researchers found that these groups have attacked companies around the world and across all industries with goals ranging from simple cybercrime to full-blown economic espionage. The RATs report describes how five APT groups are working with the Chinese government and the remote access trojans (RATs) the cybercriminals are using to get and maintain access to Linux servers.

According to the report, the groups appeared to be using WINNTI-style tooling to take aim at Linux servers and remain relatively undetected for almost a decade. These groups are targeting Red Hat Enterprise, CentOS, and Ubuntu Linux environments for espionage and intellectual property theft. The APT groups examined include the original WINNTI GROUP, PASSCV, BRONZE UNION, CASPER (LEAD), and a newly identified group BlackBerry researchers are tracking as WLNXSPLINTER. The BlackBerry researchers think all five groups are working together, given the distinct similarities in their preferred tools, tactics, and procedures.

This discussion has been archived. No new comments can be posted.

Chinese Cybercriminals Target High-Value Linux Servers With Weak Defenses: BlackBerry

Comments Filter:
  • 1. Blackberry has not announced a new CVE, POC, etc. This is old news wrapped up as a new presentation.

    2. Blackberry servers run on Windows.

    • Bias news doesn't make it false.

    • by havock ( 42287 )

      Right in the slashdot summary "a newly identified group BlackBerry researchers are tracking as WLNXSPLINTER". "newly" would imply new rather than old news.

    • You misread the entire thing. It's Linux running on BlackBerry devices. How do you expect to keep a server secured while running on old hardware?
  • by jellomizer ( 103300 ) on Thursday April 09, 2020 @11:15AM (#59925338)

    Over the years, I cannot believe how many insecure Linux systems I came across because the operators were so confident in Linux's security, that they would let it run with so many open problems including on a static IP address with no port blocking or firewall, with all the installed services installed in the distribution running with a passwordless root account.

    Windows, Linux, OSX, iOS, Android. Will have the problems, and you should treat every system like it is your largest security risk.

    • by nnull ( 1148259 )

      It has become rather complex and lately there are more incompetent IT, or not enough of them.

      Then you have the problem with legacy software where you can't even upgrade the server, because either the software providers don't support anything new or they charge an arm and leg for newer software. It's a problem that was predicted to happen and it is.

      • by gweihir ( 88907 )

        Then get competent help. Yes, security consulting cost money, but doing computing on the cheap will be insecure for the foreseeable future.

    • by gweihir ( 88907 )

      Nope. No real Linux advocate ever claimed that Linux is secure. The claim is that Linux _can_ relatively easily be secured and that Linux can be audited. However, Linux also believes that the system administrator knows their stuff and lets them configure basically anything and that most likely does include insecure configurations. Hence Linux is far, far superior in the hands of a competent admin and not very god in the hand of an incompetent one. You know, like any professional tool.

      But you already knew a

  • Typo (Score:1, Informative)

    by Anonymous Coward

    Chinese CCP employees*

  • by whitroth ( 9367 ) <whitroth@[ ]ent.us ['5-c' in gap]> on Thursday April 09, 2020 @11:27AM (#59925384) Homepage

    Before all the idiots who think Everything is WinBlows and Mac$$$$.... from the article,

    The RAT report illustrates the risk of these infections by listing all the organizations that use Linux: The stock exchanges in New York, London and Tokyo; nearly all the big tech and e-commerce giants are dependent on it, including Google, Yahoo, and Amazon, most U.S. government agencies and the Department of Defense; virtually all of the top one-million websites; 75% of all web servers; 98% of the world's most advanced supercomputers; and more than 75% of all cloud servers.

    So why bother with some idiot who's system is probably already pwned, when they can get the source data?

    And, speaking as a recently-retired sr. Linux sysadmin, I disagree that most of them are "poorly defended".

    • I agree, they say the only 2% of servers are Linux based, and so the security industry is not interested,

      but Also the majority or large companies run their crucial systems on it and the majority of websites, and cloud services ... so perhaps they are not ignoring it after all ?

      • by gweihir ( 88907 )

        I agree, they say the only 2% of servers are Linux based, and so the security industry is not interested,

        Pretty much wrong. We do security configuration and hardening reviews for Linux systems regularly. A lot of security critical stuff is on Linux these days. The problem is that the people owning these systems got cheap, incompetent system administrators or not enough of them.

  • Why China? (Score:3, Insightful)

    by AndyKron ( 937105 ) on Thursday April 09, 2020 @11:31AM (#59925398)
    Why do we keep putting up with all this shit coming out of China? Shit products, Deadly viruses, Hackers, Lies from the government.
    • Comment removed based on user account deletion
    • Comment removed based on user account deletion
    • > Why do we keep putting up with all this shit coming out of China? Shit products, Deadly viruses, Hackers, Lies from the government.

      Because this 'shit' isn't coming out of China, Russia, North Korea, Iran or whoever is Americas current bogeyman. Pure technological bullshit is all. Sad that this once forum is happy to peddle it.
  • Of course cyber criminals target high-value servers. Why the fuck would the target low-value ones?

    But, how are they actually getting in. This article seems to be an alphabet soup of "evil hacker groups" but not details about specific vulnerabilities or what to look for.

    Tastes like another Slashvertisement.

    • by tlhIngan ( 30335 )

      But, how are they actually getting in. This article seems to be an alphabet soup of "evil hacker groups" but not details about specific vulnerabilities or what to look for.

      I think it's less a specific warning and more a general one.

      "You moved from Windows to Linux to increase security? Did you actually do anything or just replaced Windows with Linux"?

      After all, when the next Windows attack comes around, everyone says "This won't happen on Linux" or "they should move to Linux" like a mantra.

      The reality is, o

      • I think it's less a specific warning and more a general one.

        Which is worth about as much as a psychic reading.

        ...you don't just pop in the Ubuntu CD on the server and magically you have a secure machine....

        Replacing Windows with (K)ubuntu automatically increases your security by about a thousand percent, immediately. Period. End of story.

        • by gweihir ( 88907 )

          Replacing Windows with (K)ubuntu automatically increases your security by about a thousand percent, immediately. Period. End of story.

          No, it does not. And I say that as a long-time Linux advocate and security expert.

    • This piece seems on the content-free side. Only turned up Windows links for the named vulnerabilities.

    • by gweihir ( 88907 )

      Indeed. Capable attackers will always go for the servers with the best value proposition and that will be high-value ones. As to how they get in, that is easy: The same old crappy mixture of incompetent admins, too few admins, delayed or missed software updates and insecure configurations, bot on the system itself and in additional firewalls. It is entirely possible to secure an internet-facing Linux server, but you have to do it, you have to know what you are doing and you have to maintain the system after

  • Remote access trojan (RAT)? Is this a new hip name for rootkits or botnets?

    • RAT's have been around forever... One of the first, most well-known ones, was Back Orifice. It was released in 1998. Its default port for communication was 31337, as a reference to how 'leet its creators were

      Come... sit 6 feet from my rocking and I'll spin ya more yarns from the olden times..

    • You can use a root kit to load a RAT that is controlled by or participates in a botnet. They are different things. Rootkits hide and preserve malware on the system. RATs allow control. And botnets are one possible application of the malware.

    • by gweihir ( 88907 )

      That is Remote Administration Tool or Remote Access Tool. These can be installed for entirely legitimate reasons and are not the part that does the attack.

  • by Opportunist ( 166417 ) on Thursday April 09, 2020 @12:32PM (#59925604)

    Did the last person leaving the office forget to turn them off?

  • Shouldn't it rather be:

    "Blackberry: Chinese Cybercriminals Target High-Value Linux Servers With Weak Defenses"

    . . . or even more sanely . . .

    "Blackberry says: Alleged Chinese criminals target high-value Linux servers with weak defenses"

    ?

    I'm not a native speaker.
    But it feels like they aren't either.
    It also feels like there's an Idiocracy joke in there. :)

  • by notdecnet ( 6156534 ) on Thursday April 09, 2020 @01:13PM (#59925722)
    Sorry to bother you, but would you mind providing explicid technical details as to how this “Linux malware” gets onto the system without the end user explicidly taking action.
    • by gweihir ( 88907 )

      Sorry to bother you, but would you mind providing explicid technical details as to how this “Linux malware” gets onto the system without the end user explicidly taking action.

      Configuration screw-ups, missed updates of known insecure software versions, weak passwords and some other basic goofs.

      By "user action" you are probably thinking of email-based infection vectors. While possible in some cases, these basically do not play a role on Linux as most of the come in via MS Office. That situation can change in the future.

    • Normally through not applying patches
      Not disabling the root ssh login with no brute force protection. Eventually the bots will guess the password and then your server is owned.
  • BlackBerry is still in business.
  • Every connected system gets owned if you don't look after it or even disable the protections (disabling the firewall? really?)
    Out of the box Linux is safer then Windows, just because it has less shit running to be targeted.

    An competent admin can make Windows (relative) secure, an incompetent admin can even make BSD a leaking basket.
    It is not the OS that is the problem, its the persons/organisation behind it: PEBKAC (problem exists between keyboard and chair)

    For years its normal practise to install updates,

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...