[kwlug-disc] Linux Hacked For A Decade?

Wed Apr 8 19:33:08 EDT 2020

- Yes. They discovered Chinese closed-source metasploit tools. Just in 
time for marketing rollout.

- Meat that I can use to check safety of my systems? Nay!

- No CVE references.

- Quote from page 16:

"""

BlackBerry researchers found that each of the victims’ kernel versions 
indicated they
were all running various versions of Red Hat Enterprise Linux or CentOS 
– by using this
information it was possible to discover the earliest possible compromise 
date for each
victim (Red Hat, 2019).

"""

- Again this theme, make sure that servers can't call outside. Do egress 
filtering. Dev's of Jira and Confluence seem not to hear this, though. 
Ya, friendly reminder that by default all your docker containers in 
docker swarm can get out. What about K8's networks?

My 2 cents.

On 2020-04-08 7:17 p.m., Ron Singh wrote:
> A random paragraph on pg 11 --
>
> *For the first time, BlackBerry researchers have assessed that these 
> groups are all
> sharing a previously unidentified Linux malware toolset referred to in 
> this report as the
> WINNTILNX toolset. It should be noted that these groups have also been 
> observed
> targeting other platforms as well, including Windows, Android, and MacOS.
> Four of these five groups are already known to the security community 
> as PASSCV,
> BRONZE UNION (aka APT27, EMISSARY PANDA), a group tracked internally 
> as CASPER
> (aka LEAD), and the original WINNTI GROUP. But the fifth Linux 
> splinter cell group, which
> BlackBerry researchers are tracking as WLNXSPLINTER, is discussed for 
> the first time
> in this report. These threat actor groups share three important 
> characteristics:*
>
> Seems to imply that the paper is worth at least a glance?
>
> Thanks,
>
> Ron Singh

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20200408/1323c6fa/attachment.htm>