If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script. The infection starts by an attempt to brute force SSH login credentials of the root user. In this blog post, we will describe the installation steps, the rootkit itself, and the communication protocol for getting attack commands. Later, we realized that the installation process is customized to a victim’s Linux environment for the sake of running an additional rootkit component. The post mentioned the initial intrusion of SSH connection, static properties of related Linux executable and encryption methods used. Trend Micro researchers discovered AvosLocker ransomware was abusing the driver in order to evade detection.Īccording to Trend Micro, Avast confirmed a vulnerability existed in an old version of the driver, which was fixed in June 2021.Īlexander Culafi is a writer, journalist and podcaster based in Boston.All you need to know about the newest Linux threat.Īt the end of September 2014, a new threat for the Linux operating system dubbed XOR.DDoS forming a botnet for distributed denial-of-service attacks was reported by the MalwareMustDie! group. SentinelOne's post followed a Monday report from Trend Micro that similarly covered Avast's anti-rootkit driver. The post only mentions that a "Rootkit driver BSOD was fixed." However, the post does not mention either CVE or the privilege escalation threats, nor does it credit SentinelOne for the discoveries. The spokesperson included a link to an Avast forum post announcing version 22.1 on Feb. By using responsible disclosure, users are protected while the wider industry can learn from the research conducted on those vulnerabilities to ensure they do not occur in other products." It is also common practice for research teams to publish the details of their findings as a way to achieve recognition for their findings and share their learnings with the wider threat community. "It is common practice among technology companies to fix vulnerabilities in their products without providing information which could lead to their exploitation. Avast published an update on February 8, which included the fix for this vulnerability along with other bug fixes," the statement said. "Both Sentinel One and Avast followed industry standard practices for responsible disclosure which is a well adopted process in the technology industry whereby vulnerabilities are first shared privately with the makers of the affected technology allowing time for them to be fixed before they become known and potentially exploited. SearchSecurity asked Avast why it didn't publicly release a disclosure for customers that credited SentinelOne with the discovery of the vulnerabilities.Īn Avast spokesperson sent the following statement to SearchSecurity: However, SentinelOne's report said, "Avast has silently released security updates to address these vulnerabilities." Avast acknowledged the report in early January before informing SentinelOne that the flaw was fixed on Feb. "For example, the vulnerabilities could be exploited as part of a second stage browser attack or to perform a sandbox escape, among other possibilities."Īntivirus vulnerabilities have the potential to be especially severe the software usually needs access to all parts of a user's device and, as such, requires higher privileges than most downloaded software.Īccording to the timeline provided in the blog post, SentinelOne reported the flaws to Avast on Dec. "Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation," he wrote. Kasif Dekel, SentinelOne senior security researcher and author of the blog post, wrote that the vulnerabilities remained undiscovered for 10 years and can be exploited in multiple contexts. SentinelOne advised users without automatic updates, including those running on-premises versions, to patch immediately. A patch released in February, version 22.1, fixed the issue and was automatically applied to most users' Avast and AVG installations. The flaws are tracked as CVE-2022-26522 and CVE-2022-26523 full technical details are available in SentinelOne's blog post.
0 Comments
Leave a Reply. |