There is an active cryptojacking campaign targeting Linux-based machines running weak SSH credentials, with the attackers goal mainly to deploy the Monero mining malware, albeit their toolbox could allow for other attacks.

According to Bitdefender security researchers who discovered the cryptojacking attacks, it has been active since at least 2020 and the attackers are believed to be a threat group likely based in Romania. The attackers exploited Linux Systems with previously undocumented SSH brute-forcer written in Golang, with their toolset dubbed "Diicot brute" which is a password cracking tool supposed to be available via a software-as-a-service model.

The stealthy part isn't necessarily the brute-forcing of those credentials, but that the hackers does it in a way that lets them go completely undetected.

How the Linux Cryptojacking Attackers target Linux Systems?

While exploitation of weak SSH credentials isn't quite uncommon to Linux Systems, the method employed by the threat group involves obfuscating Bash scripts by compiling them with a shell script compiler (shc) and using Discord to report back the information.

The toolkit used by the threat actors includes traditional tools such as masscan and zmap, and as distributed on an as-a-service model, each threat actor supplies their own API key in their scripts. And like most tools in this kit, the brute force tool has a mix of Romanian and English languages in its interface.

Once the attackers finds a Linux device with inadequate SSH credentials, they'll deploy and execute the loader, as in the current campaign, they employed .93joshua, though they have a couple of others such as .purrple and .black. However, all the loaders are obfuscated via shc and the loader gathers system information and relays to the attacker using an HTTP POST through a Discord webhook.

Albeit, there's no shortage of Linux machines with weak SSH credentials, and the only way to find out is through scanning.

As a mitigation strategy, it is recommended that Linux users should resort to runtime cloud security as an important last line of defense if they detect malicious code injections and other threats that took place after a vulnerability has been exploited by an attacker.

Cryptojacking Campaign targeting Linux Systems on the Rise

Google's Threat intelligence researchers discovered four zero-day exploits used as part of three different campaigns, which vulnerabilities affects the major browsers, including Chrome, Internet Explorer and Apple Safari.

While the WebKit (Safari) zero-day is a Use-After-Free vulnerability in QuickTimePluginReplacement, tracked as CVE-2021-1879, which was discovered on March 19, 2021, and recently exploited by a likely Russian government-backed actors.

The campaign targeting Apple iOS devices also coincided with campaigns from same actor targeting users on Windows devices with the aim to deliver Cobalt Strike, a remote access software designed to execute targeted attacks.

How the Apple WebKit Zero-day was exploited in the wild?

The Apple WebKit Zero-day was exploited in the wild with attackers using LinkedIn Messaging to target officials from Western European countries by specially crafted malicious links.

Once the target victim visits the link from any iOS device, it would redirect to the attacker-controlled domain which served the next stage payloads. And through several validation checks to ensure the iOS device was a real device, the final payload which exploits CVE-2021-1879 would be served to the device.

This exploit turns off Same-Origin-Policy protections to be able to collect authentication cookies from popular websites, such as Google, LinkedIn, Facebook, which it then sends to an attacker-controlled IP via WebSocket. Albeit, not all attacks need chaining multiple zero-day exploits to be successful, the campaign mirrors a wave of targeted attacks carried out by Russian hackers tracked as Nobelium, that was found to abuse the vulnerability to strike Western government agencies.

How to Mitigate against the Apple WebKit Zero-day?

The WebKit flaw could be exploited by adversaries to process maliciously crafted web content to carry out a universal cross-site scripting attack.

However, Apple had promptly patched the flaw on March 26, 2021 with the release of iOS 14.4.2 and iPadOS 14.4.2, therefore users of affected Apple devices should update their devices in order to mitigate the Apple WebKit Zero-day.

Apple WebKit Zero-day actively exploited in the wild

The Solus team has released a new version of Solus 4 ‘Fortitude’ series, Solus 4.3 which follows on the heels of the previous version 4.2 with updates for the software stacks and hardware enablement.

While Solus is an independently developed Linux distribution for the x86-64 architecture featuring the homegrown Budgie desktop environment, GNOME, MATE or KDE Plasma as desktop environment. Solus 4.3 features Linux Kernel 5.13, which brings a huge array of hardware support such as AMD GPU FreeSync/Adaptive-Sync HDMI support and AMD Aldebaran accelerator support.

Along with several bug fixes, Solus 4.3 also offers the most important updates like the upgrade to the Gnome 40 stack (GNOME 40.2) and fixes to Budgie panel applets and tracking of various window state.

What's New in Solus 4.3 Release?

The introduction of Linux Kernel 5.13 boasts of support for M1 powered Apple Macs, and also, preliminary support for Alder Lake-S GPUs; coupled with the hugely improved RISC-V support, RISC-V been a fully open-source CPU architecture, that serves as free alternative to the proprietary arm chips used in smartphones.

Solus 4.3 offers these other improvements:

  • Basic Apple M1 Support
  • Preliminary Alder Lake S GPU Support
  • AMD GPU FreeSync/Adaptive-Sync HDMI support
  • AMD Aldebaran accelerator support
  • New Generic USB display driver
  • Much better RISC-V support

Additionally, Solus 4.3 has all the latest apps including Firefox 89.0.2, LibreOffice and Thunderbird 78.11.0. And the flagship edition, Budgie, haven been upgraded to Budgie 10.5.3, also received lots of improvements.

How to Download or Upgrade to Solus 4.3

For existing Solus users, you'll automatically receive the latest update and then, you can simply update your system.

And if you're new to Solus and want to try out the latest version Solus 4.3, you can download the ISO image from their official download page.

Solus 4.3 Release: brings new Kernel and improved Hardware support

Macro malware was common some years ago as a result of macros running automatically when a document is opened, however, malware authors now have to convince target victims to turn on macros so that their malware can run.

Malware authors are increasingly devising new tricks using non-malicious documents to disable macro security warnings prior to executing code to infect computers. According to researchers at McAfee Labs, there is a novel tactic used by hackers that "downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro."

The researchers discovered that ZLoader infections which propagated using this mechanism was started with phishing email that contains a Microsoft Word document attachment, that if opened, downloads a password-protected Microsoft Excel file from a remote server.

How Hackers uses the New Trick to Disable Macro Warnings in Malicious Office Files?

ZLoader infections primarily targeted victims in the U.S., Canada, Japan, and Spain, and was a descendant of the infamous banking trojan, ZeuS, that is known for aggressively employing macro-enabled Office documents as initial attack vector to steal personally identifiable information from users of financial institutions.

After downloading the XLS file, it reads the cell contents from the XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions, and once the macros are written and ready, the Word document sets the policy in the registry to 'Disable Excel Macro Warning' which invokes the malicious macro function from the Excel file.

While macros are needed to be enabled in the Word document to trigger the download itself, but simply turning off the security warning, the attackers were able to stay undetected, and the obfuscation techniques used by these attackers have been evolving over the years.

Interestingly, the malware did not only lure users into enabling macros, but also have embedded files containing XLM macros which download and execute malicious second-stage payload that is retrieved from a remote server.

New Evasive Trick used by attackers to disable Macro Security Warnings

KaOS is a Linux distribution with specific focus on Qt and KDE, offering better flexibility and usability, with the latest update KaOS 2021.06 having packages such as the new Plasma 5.22 with Adaptive Transparency.

While the new Plasma 5.22 Adaptive Transparency feature means that the panel widgets will be translucent, and if there are any maximized windows, it will be entirely opaque.

The latest KaOS version also offers other new functionalities, such as support for JPEG XL, an upgrade to the JPEG format, and Plasma Wayland session now supports Activities, allowing users to keep their main work separate from other tasks.

What's New in KaOS 2021.06 Release?

Besides the desktop environment upgrade, KaOS 2021.06 comes with LibreOffice, replacing Calligra as the default office suite. And the latest Plasma packages are built on Qt 5.15.2+, including Plasma 5.22.2, Frameworks 5.83.0 and KDE applications 21.04.2.

Other new and updated core tools in KaOS 2021.06 includes:

  • KWin Wayland now supports Present Windows effect
  • Maliit virtual keyboard packages now Added
  • Fosshost is now the default mirror, utilizes Fastly CDN to deliver content
  • Calamares installer now offers two new QML modules
  • KSysguard replaces Plasma System Monitor

Further more, there is no need to adjust a mirror list to install/update to KaOS anymore, with Fosshost as the default mirror.

How to Download or Upgrade to KaOS 2021.06 Release?

For existing KaOS user, simply use the following command to upgrade your current system to KaOS 2021.06:

sudo pacman -Syu

And for a fresh installation, you can download the ISO images from the official site, but note that the welcome screen can now display text or other info as a QML file in the Calamares window.

KaOS 2021.06 Release: Brings Plasma 5.22 with Adaptive Transparency

Microsoft Edge has a security flaw, which stems from the universal cross-site scripting (UXSS) triggered when translating web pages via Microsoft Translator, the browser's built-in feature.

While UXSS is an attack that exploits client-side vulnerabilities in a browser or browser extensions to generate an XSS condition to execute malicious code; the Edge flaw tracked as CVE-2021-34506 has CVSS score of 5.4 and the discovery credited to Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh of CyberXplore.

Microsoft, however, has already rolled out updates for the Edge browser with fixes for the issue and subsequently awarded the researchers $20,000 as part of its bug bounty program.

How the Edge Browser Flaw Could have allowed anyone to Steal Your Private Data?

Microsoft Translator Which comes pre-installed on Edge browser has a vulnerable code which takes any html tags having an “>img tag without sanitising the input or converting payload to text while translating so that internal translator was taking “>img src=x onerror=alert(1)> payload and executing it as JavaScript as no proper validation check which does sanitization or convert DOM into text and then process it for translation.

As the translation feature failed to sanitize input, it could allow an attacker to insert malicious JavaScript code in any web page and subsequently execute it if the user clicks on the prompt in the address bar to translate the page.

Also, web based applications on Windows store may be vulnerable to this kind of attack as Windows stores ships apps with Microsoft Translator which was responsible for triggering the Universal XSS (UXSS) attack.

What Edge Browser users Need to do Right away

Microsoft has fixed the issue with the latest Edge update, version 91.0.864.59 now available for download.

Therefore, it is recommended that Edge users should promptly update their browser by going to Settings and more > About Microsoft Edge (edge://settings/help) to initiate the update, if not done automatically.

Edge Browser flaw exposes users Personal Data to any website