Hackers are targeting legacy Linux systems with sophisticated malware believed to have been developed by cyber criminals backed by the Chinese state.

The malware, branded RedXOR, encodes its network data with a scheme based on the XOR Boolean logic operation used in cryptography, and is compiled with a legacy compiler on an older release of Red Hat Enterprise Linux (RHEL).

This, according to Intezer researchers, suggests RedXOR is being used in targeted attacks against legacy systems.

Its operators deploy RedXOR to infiltrate Linux endpoints and systems in order to browse files, steal data, upload or download data, as well as tunnel network traffic. The backdoor is also difficult to identify, disguising itself as a polkit daemon, which is a background process for managing a component that controls system-wide privileges.

“Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors,” said Intezer researchers Avigayil Mechtinger and Joakim Kennedy.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload. Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”

Upon installation, the malware moves its binaries to a hidden folder dubbed ‘po1kitd.thumb’, as part of its efforts to disguise itself as the polkit daemon. The malware then communicates with the command and control server in the guise of HTTP traffic, from where instructions are then sent.

Researchers have monitored the server issuing a total of 19 separate commands, including requesting system information and issuing updates to the malware. The presence of «on and off» availability in the command and control server also indicates the operation is still active, the researchers claim.

To build the backdoor, the hackers used the Red Hat 4.4.7 GNU Compiler Collection (GCC) compiler, which is the default GCC for RHEL 6. This was first released in 2010.

Mainstream support for RHEL 6 only ended recently, in November 2020, meaning a swathe of servers and endpoints are likely still running RHEL 6. Intezer, however, hasn’t disclosed the number of, or nature of, the victims it’s identified. According to Enlyft, roughly 50,000 companies use RHEL installations.

Although the discovery of Linux malware families has increased in recent times, backdoors attributed to advanced threat groups, such as nation state-backed attackers, are far rarer.

Researchers are confident in their attribution, however, identifying 11 distinct similarities between RedXOR and the PWNLNX backdoor, as well as parallels with the XOR.DDOS and Groundhog botnets – all associated with hackers supported by the Chinese state.

The samples discovered were also uploaded from Indonesia and Taiwan, countries known to be targeted by state-backed hackers operating from China.

Hackers are targeting legacy Linux systems with sophisticated malware believed to have been developed by cyber criminals backed by the Chinese state.

The malware, branded RedXOR, encodes its network data with a scheme based on the XOR Boolean logic operation used in cryptography, and is compiled with a legacy compiler on an older release of Red Hat Enterprise Linux (RHEL).

This, according to Intezer researchers, suggests RedXOR is being used in targeted attacks against legacy systems.

Its operators deploy RedXOR to infiltrate Linux endpoints and systems in order to browse files, steal data, upload or download data, as well as tunnel network traffic. The backdoor is also difficult to identify, disguising itself as a polkit daemon, which is a background process for managing a component that controls system-wide privileges.

“Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors,” said Intezer researchers Avigayil Mechtinger and Joakim Kennedy.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload. Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”

Upon installation, the malware moves its binaries to a hidden folder dubbed ‘po1kitd.thumb’, as part of its efforts to disguise itself as the polkit daemon. The malware then communicates with the command and control server in the guise of HTTP traffic, from where instructions are then sent.

Researchers have monitored the server issuing a total of 19 separate commands, including requesting system information and issuing updates to the malware. The presence of «on and off» availability in the command and control server also indicates the operation is still active, the researchers claim.

To build the backdoor, the hackers used the Red Hat 4.4.7 GNU Compiler Collection (GCC) compiler, which is the default GCC for RHEL 6. This was first released in 2010.

Mainstream support for RHEL 6 only ended recently, in November 2020, meaning a swathe of servers and endpoints are likely still running RHEL 6. Intezer, however, hasn’t disclosed the number of, or nature of, the victims it’s identified. According to Enlyft, roughly 50,000 companies use RHEL installations.

Although the discovery of Linux malware families has increased in recent times, backdoors attributed to advanced threat groups, such as nation state-backed attackers, are far rarer.

Researchers are confident in their attribution, however, identifying 11 distinct similarities between RedXOR and the PWNLNX backdoor, as well as parallels with the XOR.DDOS and Groundhog botnets – all associated with hackers supported by the Chinese state.

The samples discovered were also uploaded from Indonesia and Taiwan, countries known to be targeted by state-backed hackers operating from China.

The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source supply chain attacks. This is because one of the major issues with open source software is it’s often difficult to determine where the software came from, and how it was built.

​

“Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,” said Google’s product manager Kim Lewandowski and product engineer Dan Lorenc. “To address this we need to make it possible to verify the provenance of all software – including open source packages.

“The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”

Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.

This approach has been devised in light of the fact that key distribution is “notoriously difficult”, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA) which will be made available for free.

News of this project follows Google’s commitment to help fund two Linux developers in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.

“I am very excited about sigstore and what this means for improving the security of software supply chains,” said Luke Hinds, one of the lead developers on sigstore and Red Hat’s security engineering lead.

“Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.”

The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation.

The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source supply chain attacks. This is because one of the major issues with open source software is it’s often difficult to determine where the software came from, and how it was built.

​

“Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,” said Google’s product manager Kim Lewandowski and product engineer Dan Lorenc. “To address this we need to make it possible to verify the provenance of all software – including open source packages.

“The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”

Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.

This approach has been devised in light of the fact that key distribution is “notoriously difficult”, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA) which will be made available for free.

News of this project follows Google’s commitment to help fund two Linux developers in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.

“I am very excited about sigstore and what this means for improving the security of software supply chains,” said Luke Hinds, one of the lead developers on sigstore and Red Hat’s security engineering lead.

“Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.”

The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation.

Microsoft has partnered with the job-seeking platform GetMyFirstJob to launch an online hub that will connect UK organisations seeking to recruit digital apprentices with a wide pool of prospective applicants.

Apprenticeship Connector will simplify the recruitment process by listing vacancies across Microsoft’s network of partners and customers, which young jobseekers can access to seek new opportunities. The firm said its partners and customers will also be able to promote their vacancies to a larger and more diverse range of candidates.

GetMyFirstJob was chosen as the ideal partner platform in light of its recognition that traditional recruitment processes were exacerbating existing batteries to social mobility. Its own platform has sought to channel skills into the right areas, reaching more than 4.1 million users in 2020.

The partnership aims to solve the specific problem of small and medium-sized businesses (SMBs) struggling to recruit the right candidates while also aiming to raise the diversity of new recruits generally.

“Digital apprenticeships are one of the best routes to well-paid careers in businesses of all types, not just in tech,” said Microsoft’s UK CEO, Clare Barclay. “It’s why we have worked hard over the past 10 years to help provide thousands of people with the skills and training needed for the in-demand jobs of today and tomorrow. 

“Yet even in the current jobs market, the reality is there are many vacancies going unfilled. I encourage anyone thinking about getting started in digital to visit The Microsoft Apprenticeship Connector and take the next step.”

Microsoft also shared some statistics highlighting the tech recruitment problem in the UK, also referred to as the digital skills crisis. For example, the UK needs more than three million skilled people in technology roles by 2025, while almost half of UK businesses are also looking to recruit workers with the same technical skills, ranging from data analytics to cyber security, regardless of sector.

Last February, experts urged the government to reform its apprenticeship scheme after it fell short of its own targets. Figures at the time showed that the number of people starting an apprenticeship between August and October 2019 fell to 125,800 – down from 132,000 the previous year. 

This represented a 4.7% drop, although the situation is even bleaker today. The latest ONS figures show that new starts between August and October 2020 fell by a staggering 27.6% to 91,100. The effects of COVID-19 would have certainly played a role, although it nevertheless feeds into a long-term downward trend.

The UK chancellor, Rishi Sunak, also last week stressed the importance of apprenticeships as he was outlining the latest Budget. He doubled the cash incentive for employers to hire apprentices and introduced a new flexi-job programme that would allow apprentices to work with a number of different employers within one sector.

“It’s great to see Microsoft using its technology expertise to make it easier for people to engage with these fantastic opportunities,” Sunak said. “As the world becomes increasingly more digital, these skills will play a crucial role in helping us build back better from the pandemic.”

There are potentially hundreds of thousands of victims from cyber attacks exploiting newly-discovered Microsoft Exchange Server vulnerabilities, with the White House urging businesses to patch their systems immediately.

US-based victims exceed 30,000 including small businesses, towns and cities as well as local government organisations, according to security researcher Brian Krebs, with Chinese hackers determined to steal their email communications.

This figure, however, only represents a portion of “hundreds of thousands” of servers that state-backed Chinese hackers have seized, based on information provided to Krebs by two security experts. Each targeted server, deployed to process email communications, represents roughly one organisation here. 

“This is an active threat,” White House press secretary Jen Psaki said at a press briefing, as reported by BBC News. “Everyone running these servers – government, private sector, academia – needs to act now to patch them.» 

She added that the White House was concerned “there are a large number of victims” and that these vulnerabilities discovered last week could have “far-reaching impacts”.

Microsoft patched four actively exploited flaws in several versions of its Microsoft Exchange Server service last week, which attackers were taking advantage of to steal emails from web-facing systems running the software. 

In these attacks, the perpetrators left behind a password-protected web shell that could be accessed from anywhere, giving them administrative access to victims’ servers.

The company also warned businesses that this charge was being led by state-backed hackers, specifically the Hafnium group, although refrained from disclosing how many victims there were at the time.

The US Cybersecurity and Infrastructure Security Agency (CISA) then ordered US federal agencies to immediately patch their Exchange Server installations, or disconnect the programme until it can be reconfigured, for fear of falling victim to hacking attempts.

“Patching and mitigation is not remediation if the servers have already been compromised,” the White House’s National Security Council also tweeted. “It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.”

Vice president of Volexity, Steven Adair, who first reported the Exchange flaws to Microsoft, also told KrebsonSecurity that the hacking group first exploited these bugs on 6 January, but shifted into a much higher gear over the last few days.

“Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server,” he said. “The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

Google has upgraded its Flutter toolkit to allow mobile developers to seamlessly port native apps across a breadth of operating systems and web browsers, as well as devices such as TVs, cars, and smart home appliances.

Flutter, an open source software development kit (SDK) launched by Google in December 2018, allows developers to build mobile apps across both Android and iOS devices from a single codebase using the Dart language.

The next generation, dubbed Flutter 2, is a logical extension of this principle, with developers able to programme native apps across not just Android and iOS but also Windows, macOS, and Linux systems too. This is alongside web-based experiences across Chrome, Firefox, Safari, and Edge, as well as the operating systems powering IoT and smart devices.

“Our goal is to fundamentally shift how developers think about building apps, starting not with the platform you’re targeting but rather with the experience you want to create,” Google said in its Developer blog.

“In Flutter 2, released today, we’ve broadened Flutter from a mobile framework to a portable framework, unleashing your apps to run on a wide variety of different platforms with little or no change.”

Developing for Android devices with Android Studio, an integrated development environment (IDE), differs from developing with Flutter, in that it’s a Java-incorporated development workbench for creators to develop and debug their source code for one platform.

Using Android Studio means developers can’t build apps native to iOS as well as Android – and must jump through hoops to convert their codebase to be compatible with iPhones, or rewrite them from scratch.

Flutter, by contrast, was launched with native cross-platform development in mind, with app creators able to build applications for both iOS and Android using a single codebase. Features such as platform APIs, third-party SDKs and reusable user interface (UI) blocks lend themselves to this aim.

Google also touts Flutter as allowing you to build aesthetically-pleasing apps at-pace, in addition to making changes as your app’s running in real-time with the ‘hot reload’ feature. The ecosystem of Flutter-developed apps includes roughly 150,000 services including apps such as WeChat and Yandex Go.

Google Pay even switched to Flutter in September last year to achieve improvements in productivity and quality. By unifying the iOS and Android codebases, the development team removed roughly 500,000 lines of code. There’s also been a reported increase in the efficiency for engineers, with a reduction in work needed around releases such as security reviews and experimentation, given two codebases have been contracted to one.

Desktop support was added to an earlier alpha release of Flutter, but this has just been moved into the toolkit’s ‘stable’ channel, meaning it’s now generally available.

To make it happen, Google partnered with Canonical, the company that publishes Ubuntu, with the organisation’s engineers contributing code to support development and deployment on Linux installations.

Google has also expanded its partnership with Microsoft, with the Windows developer releasing contributions to the Flutter engine to support foldable Android devices, including new design patterns and functionality.

With Flutter 2, app developers will also find added support for the web with a focus on progressive web apps (PWAs) as well as single-page apps (SPAs) and bringing existing Flutter mobile apps to the web with shared code.

Finally, a partnership with Toyota paves the way for writing in-vehicle software using Flutter, with the car manufacturer using Flutter’s embedder API to tailor Flutter for the unique needs of its vehicles.

Identity access management firm Okta has agreed to purchase its main industry competitor Auth0 in a deal worth $6.5 billion (roughly £5.6 billion).

This merger will eventually see the two businesses’ expertise and products unify under a single brand, with Okta’s cloud-based platform expected to combine with Auth0’s device and app-based identity management suite.

Auth0 was founded in 2013, four years after Okta was established, and recently attracted $120 million (£85.9 million) of funding in its Series F round in July last year. In doing so, it attained an overall valuation of approximately $2 billion (£1.4 billion).

Okta hopes that the merger will allow the two companies to jointly address more identity management problems and use cases than they each could alone. Both platforms will be supported, invested in, and eventually integrated with one another over time.

“Combining Auth0’s developer-centric identity solution with the Okta Identity Cloud will drive tremendous value for both current and future customers,” said Okta CEO and co-founder Todd McKinnon.

“Okta’s and Auth0’s shared vision for the identity market, rooted in customer success, will accelerate our innovation, opening up new ways for our customers to leverage identity to meet their business needs. We are thrilled to join forces with the Auth0 team, as they are ideal allies in building identity for the internet and establishing identity as a primary cloud.”

The company describes its own and Auth0’s services as being complementary, with customers able to opt for one or another depending on their particular needs. While this has traditionally been true, in recent years both companies have expanded their offerings to such an extent they’ve begun to encroach on each other’s customer base.

Okta had initially aimed to be a single sign-on (SSO) platform for web applications, while Auth0 carved out a reputation for providing backend user management. Product expansion has seen the lines blur, however, and the rivalry between the companies intensify.

“Okta and Auth0 have an incredible opportunity to build the identity platform of the future,” said CEO and co-founder of Auth0, Eugenio Pace.

“We founded Auth0 to enable product builders to innovate with a secure, easy-to-use, and extensible customer identity platform. Together, we can offer our customers workforce and customer identity solutions with exceptional speed, simplicity, security, reliability and scalability. By joining forces, we will accelerate our customers’ innovation and ability to meet the needs and demands of consumers, businesses and employees everywhere.”

The boards of both companies have approved the transaction, with the acquisition expected to finalise before the end of July 2021.

Microsoft has launched new functionality across its Azure Active Directory (AD) authentication portal and Microsoft 365 to advance its zero trust security strategy and protect its customers against insider threats. 

‘Zero trust’ is a security strategy based on the need for businesses to adapt to increasingly sophisticated threats, and is based on the assumption that nothing within the corporate network can be trusted. 

Microsoft is among a handful of tech companies to adopt these policies in a meaningful way over the past few years, with features revealed at its Ignite 2021 conference in Azure AD and Microsoft 365 bolstering the firm’s zero trust capabilities. 

Passwordless authentication is now generally available in AD across all cloud and hybrid environments, with users able to use biometrics, Windows Hello for Business, the Microsoft Authenticator app or FIDO2 security key to log-in.

The policy engine Azure AD Conditional Access now uses authentication context to enforce more granular policies based on user interactions within an app, also taking into account the sensitivity of data they’re trying to access. 

Verifiable credentials, which lets organisations confirm pieces of information on their employees such as education or professional certificates, is also entering public preview within the next few weeks. This verifies claims made without collecting any personal data. The government of Flanders and the NHS are already piloting this service.

“As defenders ourselves, we are passionate proponents of a Zero Trust mindset, encompassing all types of threats – both outside in and inside out,” said Microsoft’s corporate VP for security, compliance and identity, Vasu Jakkal.

“We believe the right approach is to address security, compliance, identity, and device management as an interdependent whole, and to extend protection to all data, devices, identities, platforms, and clouds – whether those things are from Microsoft, or not.”

Changes in Microsoft 365 are largely based on trying to eliminate the insider threat, both malicious and unwitting, with the firm investing in creating inside-out protection by extending its capabilities to third parties.

Improvements in compliance include co-authoring documents protected with Microsoft Information Protection, which allows multiple users to work simultaneously on documents while benefitting from the extensive protection for documents and emails across Microsoft 365 apps.

Microsoft 365’s Insider Risk Management Analytics will allow customers to identify potential insider risk activity within an organisation, which will then inform policy configurations. Tools include daily scans of tenant audit logs, including historical activities, with machine learning used to identify any risky activity.

Azure Pureview, Microsoft’s unified government platform for on-premises, multi-cloud and software as a service (Saas) data, can also be used to scan and classify data residing in AWS S3 buckets, SAP EEC, SAP S4/HANA and Oracle Database.

“Adopting a Zero Trust strategy is a journey,” Jakkal continued. “Every single step you take will make you more secure. In today’s world, with disappearing corporate network perimeters, identity is your first line of defence. 

“While your Zero Trust journey will be unique, if you are wondering where to start, our recommendation is to start with a strong cloud identity foundation. The most fundamental steps like strong authentication, protecting user credentials, and protecting devices are the most essential.”

Microsoft is also launching what it calls an “assume breach” toolset, which comprises tools and features that can help customers adopt the assume breach mentality without being hampered by the complexity that it can often entail. This is a critical component of the overall zero trust umbrella. 

Among the improvements, Microsoft Defender for Endpoint and Defender for Office 365 customers can now probe threats directly from the Microsoft 365 Defender portal, which provides alerts and in-depth investigation pages. A Threat Analytics section also provides a set of reports from Microsoft security researchers that help customers understand, prevent and mitigate active threats.

Two ransomware strains have retooled to exploit vulnerabilities in the VMware ESXi hypervisor system publicised last week and encrypt virtual machines (VMs).

The company patched three critical flaws across its virtualisation products last week. These included a heap buffer overflow bug in the ESXi bare-metal hypervisor, as well as a flaw that could have allowed hackers to execute commands on the underlying operating system that hosts the vCenter Server.

Researchers with CrowdStrike have since learned that two groups, known as ‘Carbon Spider’ and ‘Sprite Spider’, have updated their weapons to target the ESXi hypervisor specifically in the wake of these revelations. These groups have historically targeted Windows systems, as opposed to Linux installations, in large-scale ransomware campaigns also known as big game hunting (BGH).

The attacks have been successful, with affected victims including organisations that have used virtualisation to host many of their corporate systems on just a few ESXi servers. The nature of ESXi means these served as a “virtual jackpot” for hackers, as they were able to compromise a wide variety of enterprise systems with relatively little effort.

This follows news that cyber criminals last week were actively scanning for vulnerable businesses with unpatched VMware vCenter servers, only days after VMware issued fixes for the three flaws.

“By deploying ransomware on ESXi, Sprite Spider and Carbon Spider likely intend to impose greater harm on victims than could be achieved by their respective Windows ransomware families alone,” said CrowdStrike researchers Eric Loui and Sergei Frankoff. 

“Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations.

“If these ransomware attacks on ESXi servers continue to be successful, it is likely that more adversaries will begin to target virtualization infrastructure in the medium term.”

Sprite Spider has conventionally launched low-volume BGH campaigns using the Defray777 strain, first attempting to compromise domain controllers before exfiltrating victim data and encrypting files. 

Carbon Spider, meanwhile, has traditionally targeted companies operating point-of-sale (POS) devices, with initial access granted through phishing campaigns. The group abruptly shifted its operational model in April last year, however, to instead undertake broad and opportunistic attacks against large numbers of victims. It launched its own strain, dubbed Darkside, in August 2020.

Both strains have compromised ESXI systems by harvesting credentials that can be used to authenticate to the vCenter web interface, which is a centralised server admin tool that can control multiple ESXi devices. 

After connecting to vCenter, Sprite Spider enables SSH to allow persistent access to ESXi devices, and in some cases changes the root password or the host’s SSH keys. Carbon Spider, meanwhile, accesses vCenter using legitimate credentials but also logged in over SSH using the Plink tool to drop its Darkside ransomware.