The FBI and NSA have published a report with technical details on a previously undiscovered Linux malware that is currently being actively used by the Russian military intelligence service GRU or its subunit GTsSS for complex targeted attacks – so-called Advanced Persistent Threats (APT).
The US security authorities equate GTsSS with the attacker group also known as APT28, Sofacy or Fancy Bear. The group APT 28, which according to the Federal Government also belongs to the GRU with “probability bordering on security”, is held responsible by the BSI for the break into the German Bundestag. According to FBI and NSA press release Drovorub poses a threat to “national security systems, the Ministry of Defense and customers of the defense industry” if they use Linux. The authorities do not name any further or more specific goals.
Understand APT attacks
In contrast, the 38-page Drovorub report by the FBI and NSA is unusually detailed for publications by US government agencies. It is recommended reading for any IT professional who could ever get into the situation of having to investigate an APT incident and would like to get a feel for what to expect in advance. Much of the information it contains can be transferred to other less well-documented APT attack tools, in some cases across platforms.
Drovorub is a typical post-exploitation tool that is only used after an attacker has gained full control over a system. This can be done, for example, through security gaps in the system or installed software or stolen SSH keys. Once on the system, Drovorub acts as a rootkit, hiding itself and a set of tools on a compromised Linux system. To do this, he loads a kernel module that, among other things, hides its own processes, files and network activities from all other processes on the system. It is therefore difficult to track it down without looking at the system from “outside”.
One of the main tasks of the modular malware is to communicate with the attacker’s command & control server. Drovorub also serves as a kind of intermediary or “bridgehead” in the target network, via which the attacker can then (via port forwarding) reach other systems in the attacked network. Thanks to the upload and download functions, it is possible to exfiltrate sensitive data as well as reload further malicious codes. Drovorub also includes a shell module that allows attackers to remotely execute commands with root rights.
Drovorub: Recommended protective measures
Regarding preventive measures against Drovorub’s invisible implantation on Linux servers, the otherwise extensive report is kept very brief: In the section “Preventative Mitigations”, the FBI and NSA advise Linux admins to use at least kernel version 3.7 from 2012 and regularly use all available software – import updates. Since version 3.7 Linux can sign kernel modules and check the signature before loading to ensure that they are intact. Admins should configure their systems accordingly so that only modules with a valid digital signature can be loaded.
The measures mentioned, as the US authorities emphasize in the report, only protect against Drovorub’s permanent whereabouts and “hide and seek” on the system, but not against the actual compromise that takes place before the rootkit is installed. Since the gateways for targeted attacks can be very different from case to case, there is (unfortunately) no magic bullet.
Also interesting: The IT security day from heise Events: