Red Hat is taking quite serious a hacking threat reportedly developed by the CIA that targets its Linux software and is warning customers to follow “Incident Response” practices. A hacker news sites describes the latest malware news as “simply astonishing.”
“It is recommended that systems found with indicators of compromise should follow their organizational practices for Incident Response and react accordingly,” Red Hat says in a post at its customer portal.
The greatest threat from the so-called Aeris tool is from users who already have access to an enterprise network as opposed to an external infiltration.
“An attacker must already be resident on a system to conduct the Aeris attack,” red Hat’s security team declared after examining the document published by WikiLeaks last Thursday and reported about by media outlets on Friday, including WRAL TechWire.
“The attacker would have access to any files or processes that this account would normally have access to. In order to escalate privileges or access normally inaccessible data, other vulnerabilities or attacking tools would have to be used.”
This is serious
Hacker news site HackRead said Aeries is designed to “infect systems, download Aeris malware, locate required data and perform exfiltration of information.”
Aeris targets several systems, including Red Hat’s top product, Red Hat Enterprise Linux, which is used by many of Wall Street’s top financial firms.
A hacker using the tools could gain access to information he/she is not authorized to access, encrypt it and then export it.
Red Hat advises users to utilize Security-Enhanced Linux (SELinux), which Wikipedia defines as “a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).”
“To help prevent attacks like this, Red Hat recommends the use of SELinux to limit exposure to data and processes. SELinux should be run in enforcement mode (setenforce 1),” Red Hat explains.
Here’s how an attack works:
“The attack first collects, then seeks to exfiltrate, data via secure channels and encrypted files. A recommended good practice to recognize and stop such behaviour is network traffic baseline, analysis, and anomalous traffic alerting/blocking for any systems holding critical information.”
How to stop this?
“Network traffic can be managed and inappropriate access can be stopped using tools like iptables and firewalld.
The “root cause”
In a technical explanation of Aeris, which is part of a broader program labeled as the “Imperial project,” Red Hat warmed:
“The Imperial project uses software called Aeris to run a series of commands to collect data, package and encrypt that data, and then ship that data back to Command-and-Control servers external to the affected system.
“Aeris itself is a customizable C-based program that is designed to work on multiple POSIX-based systems including Debian, FreeBSD, Solaris, RHEL and derivatives. It uses strong encryption to package and transmit gathered data. Aeris uses Python utilities to conduct its intelligence and defined actions.
“Aeris is installed by dropping the binary into a desired directory. Users of the toolkit have been instructed to generate their own file names and paths, which complicates blacklisting and detection. Once deployed, Aeris will periodically report back to a Listening Post (LP) server to deliver its payload. Aeris allows an attacker to combine up to 65,535 unique commands to be processed via a batch-mode to be executed on compromised endpoints.
“All communications Aeris uses are over HTTPS (TLS) using custom-issued certificates. All data exfiltrated will be encrypted then signed and transmitted over the mutually-authenticated secure channel to an upstream host (the Collide Automated Implant Command and Control system).”
Read more at:
https://access.redhat.com/solutions/3131231
And about SELinux troubleshooting at:
https://access.redhat.com/articles/2191331
