Microsoft adds new feature to it’s Linux defender

In June, Microsoft released Microsoft Defender Advanced Threat Protection (ATP) for Linux for general use. Now, Microsoft has improved the Linux version of Defender, by adding a public preview of EDR capabilities.

This is still not a version of Microsoft Defender you can run on a standalone Linux desktop. Its primary job remains to protect Linux servers from server and network threats. If you want protection for your standalone desktop, use such programs

With these new EDR capabilities, Linux Defender users can detect advanced attacks that involve Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing preventive antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center.

Rich investigation experience, which includes machine timeline, process creation, file creation, network connections, login events, and advanced hunting.Optimized performance-enhanced CPU utilization in compilation procedures and large software deployments.In-context AV detection. Just like with the Windows edition, you’ll get insight into where a threat came from and how the malicious process or activity was created.

To run the updated program, you’ll need one of the following Linux servers: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian or higher; or Oracle Linux 7.2.

Make sure you’re running version 101.12.99 or higher. You can find out which version you’re running with the command: 

mdatp health

You shouldn’t switch all your servers running Microsoft Defender for Endpoint on Linux to the preview in any case. Instead, Microsoft recommends you configure only some of your Linux servers to Preview mode, with the following command:

$ sudo mdatp edr early-preview enable 

Once that’s done, if you’re feeling brave and want to see for yourself if it works, Microsoft is offering a way to run a simulated attack. To do this, follow the steps below to simulate a detection on your Linux server and investigate the case. 

Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.

Download and extract the script file from here aka.ms/LinuxDIY to an onboarded Linux server and run the following command:

./mde_linux_edr_diy.sh

After a few minutes, it should be raised in Microsoft Defender Security Center.

Drovorub ☣️.. Warning

Schneider Electric published a security bulletin to warn customers of the Drovorub Linux malware, the malware was analyzed in a joint alert published in August by NSA and the FBI. linked with Russian espionage group APT28

Drovorub is a modular malware that includes the implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.

“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actorcontrolled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.”

Drovorub could allow state-sponsored hackers to carry out a broad range of activities, such as stealing files, establishing backdoor access, remote controlling the target’s computer. The malware implements a sophisticated evasion technique, it leverages advanced ‘rootkit’ capabilities to remain under the radar.

The affected products are ethernet and serial data radios that provide long-range wireless data communications for SCADA and remote telemetry applications.

Drovorub targets systems running Linux kernel versions 3.7 or lower, so updating later than 3.7 is a must. Defence in depth strategy should be intact

Mac ,Linux Malwares are like Sweet Pancakes

Threat actors continuously updating their code with new threat vectors and obfuscation techniques is nothing new. A surge in malware targeting particular device groups reveals much about the shifting paradigm.

TeamTNT reinforces Black-T

TeamTNT is known to exfiltrate AWS credential files on compromised cloud systems and mine for Monero (XMR). 

  • Unit 42 researchers came with a new variant of cryptojacking malware named Black-T, the brainchild of the TeamTNT cybercrime group, boosting its capabilities against Linux systems.
  • The added potential includes memory password scraping via mimipy (works on Windows/Linux/OSX) and mimipenguin (Linux desktop)—two open-source Mimikatz equivalents targeting *NIX desktops.

IPStorm prepares for thunders

The IPStorm botnet has been targeting Windows systems until now. Its size has quadrupled from around 3,000 systems in May 2019 to more than 13,500 devices by September end.

  • IPStorm now boasts of newer versions targeting Android, Linux, and Mac devices.
  • Linux and Mac devices are infected after the gang performs a brute-force technique against SSH services.
  • However, the Android systems are infected when the malware scans the internet for devices that had left their ADB (Android Debug Bridge) port exposed online.

FinSpy’s malware spin

A new surveillance campaign was reported targeting Egyptian civil society organizations.

  • FinSpy, also known as FinFisher, used new variants that target macOS and Linux users. The spyware already had tools for Windows, iOS, and Android users.
  • Besides keylogging, call interception, and screen recording, the malware’s additional capabilities included stealing emails by installing a malicious add-on to Apple Main and Thunderbird and collecting Wi-Fi network information.

Concluding phrase

Cybercriminals unfurling tools targeting Linux and Mac devices put a dent in the broadly held opinion that those operating systems are more secure and not susceptible to malicious code, unlike others. Experts recommend checking network settings and avoiding using unnecessary online applications to ensure safety. Other useful tips include configuring the firewall, filtering traffic, and protecting locally stored SSH keys used for network services.

Linux 🐧.. No more safe .. windfall coming !

Here we had covered lot many threats , Vulnerability related to Windows a lot and covered little about linux . It’s not mean that later OS is safer .. it’s started raining threats in linux. Researchers predicted still worst have to come .

Linux users have been warned to up their security protection following new research which found the system could be facing a significant rise in cyber threats.

A rise in the amount of criminals targeting Linux, which is often thought to be safer and more secure than other operating systems.

Linux security

The trend in attacks is particularly worrying as more organisations choose Linux for strategically important servers and systems over Windows.

Researchers found Linux systems could potentially be at risk from advanced persistent threats (APTs) and targeted attacks from hackers that have created specifically Linux-focused tools.

A dozen APT actors, including dangerous threat groups such as Lazarus, have been observed to use Linux malware or some Linux-based modules in recent years, diversifying their attacks across multiple operating systems in a bid to maximize returns.

The company notes that there is a myth that Linux, being a less popular operating system, is unlikely to be targeted by malware. However this is often not the case, with smaller, more targeted attacks becoming the norm, especially in systems using multiple operating systems, where access to an infected device could allow hackers into endpoints running Windows or macOS.

Lazarus, which is reportedly based in North Korea, the group used Linux malware to carry out widespread attacks and attempts to target multiple organisations in the US and Europe.

“Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems. Cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations.”

Maintaining a list of trusted software sources and avoid using unencrypted update channels, and not running binaries and scripts from untrusted sources will be some of the escape route from both g threat