BlackBerry spots decade-long China-allied APT attack on Linux servers

News by Chandu Gopalakrishnan

Attack on Linux servers, Windows systems and Android devices world over went undetected for nearly a decade

Five China-allied attack groups have been targeting Linux servers, Windows systems and Android devices world over, undetected, for nearly a decade, disclosed Blackberry. The Canadian security software and service attributes the groups to civilian contractors sharing common tools and targeting information. 

Each participant had their own agenda, but were coordinated when it came to targeting Linux servers, said the report. Apart from the popularity, Linux servers become an ideal and strategic target of espionage for many reasons, said the report.

“Compromising Linux web servers allows for the exfiltration of massive amounts of data that can be obscured within the high volume of daily web traffic. Linux database servers provide attackers a greater chance of finding valuable data like sensitive intellectual property, trade secrets, or lists of employee usernames and passwords relatively quickly. Compromising Linux jump-boxes, aka bastion or proxy servers, erases a layer of protection typically relied upon by most corporate networks to separate internal networks from external threats,” the report said.

“All three types of servers described above – web, database, and proxy – are designed to be “up” all the time, meaning the same benefits they provide system administrators (continuous, reliable network access) are also afforded to the attackers who compromise them, making them a perfect staging area from which to penetrate other areas of the network,” said Eric Cornelius, chief product architect at BlackBerry, told SC Media UK.

“What’s more, all the source code for the Linux distributions commonly seen in corporate and government environments, including Red Hat Enterprise, Ubuntu, and CentOS, is freely available to examine. This plays to one of an APT’s key strengths: it allows knowledge of the operating system to be more readily exploited and for the tools designed to circumvent security to be more effective.”

Groups associated with the state or state-sponsored efforts of at least three governments have been found to develop and deploy Linux malware: China, Russia, and the United States, said the report. Several factors help researchers attribute the attacks to specific groups.

The usual indicators are data available regarding newly discovered threat (malware, infrastructure, techniques), knowledge and experience about the prior behaviour of these attack groups, targeting, the results of open-source investigation, information about the resources required by the attackers, relative level of complexity, idiosyncrasies of style – and the occasional operation security failure on the part of the attacker.

"The groups tracked by BlackBerry have clearly made targeted shifts in their tools, tactics, and procedures (TTPs) to more effectively fly under the radar,” said Craig Young,  computer security researcher for Tripwire's vulnerability and exposure research team (VERT).

The research has spotted two new Android malware, one of which closely resembles the code in a commercially available penetration testing tool. Interestingly, the malware was created nearly two years before the commercial tool was first made available for purchase, said the report.

Both Linux and Android share a common feature: popularity.

"It's true that the more popular an app or software is, the more likely it is to be targeted by attackers. While open-source does have the benefits of lots of good eyes on it, it also means bad actors can examine it in more detail to look for ways to target systems running them,” Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK.

It is yet to be ascertained whether these Android malwares were used in Covid-19 attacks, said Cornelius. “They were created and discovered prior to that. We are still investigating Covid-19-related attacks.”

SC Media UK earlier reported about developing nations getting on to cyber-espionage using commodity malware. 

“The use of publicly available hacking tools is a trend we can confirm and have written about ourselves, previously. Of particular concern is the use of those tools by governments or government-backed groups, as it aids in obfuscating attempts at attribution,” Cornelius said.

“By using malware signed with adware certificates to communicate with innocuous domain names hosted on public cloud providers, any alerts generated by the APT attack campaign tend to blend into the background. By camouflaging their campaigns in this manner, the attackers are making it increasingly difficult for defenders to identify breaches without productivity stifling security restrictions," Tripwire’s Young told SC Media UK.

However, the use of stolen code-signing certificates from adware companies is not necessarily a relevant example, Cornelius pointed out. 

“All legitimate software uses code-signing certs. The tactic we’re spotting here is the use of certs by the APTs that are intended to make their malware look like adware. Adware is generally perceived to be unwanted, but is regarded more as a nuisance or low priority, not a foothold for a threat actor acting in the interests of the Chinese government.” 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews