Aqua Security Blaming on "Linux" Stuff That Has Nothing to Do With Linux
-
New Linux Malware ‘Perfctl’ Targets Millions by Mimicking System Files [Ed: They're trying to blame "Linux" for things that have nothing to do with it]
New Linux malware ‘Perfctl’ is targeting millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises Linux servers, exploiting vulnerabilities for cryptomining and system resource hijacking.
Cybersecurity researchers at Aqua Nautilus have discovered a new Linux malware that has targeted millions worldwide, exploiting over 20,000 misconfigurations. The malware has been lurking for some time, but recently attacked a Nautilus honeypot, providing an opportunity to detect and examine this threat that can put any Linux server at risk.
-
Bleeping Computer ☛ Linux malware “perfctl” behind years-long cryptomining campaign [Ed: Misidentifying the core issue; they focus on the OS, as if something existing on it is the fault of the kernel]
A Linux malware named "perfctl" has been targeting Linux servers and workstations for at least three years, remaining largely undetected through high levels of evasion and the use of rootkits.
-
Hacker News ☛ New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking [Ed: Blaming "Linux" for stuff like bad PHP or people setting up systems to allow access]
Misconfigured and vulnerable Linux servers are the target of an ongoing campaign that delivers a stealthy malware dubbed perfctl with the primary aim of running a cryptocurrency miner and proxyjacking software.
-
TechTarget ☛ Cryptomining perfctl malware swarms Linux machines [Ed: But issue isn't the culprit here; that's like blaming Windows for people installing malware on it or Adobe Photoshop having holes.]
Aqua Security researchers believe that perfctl malware has infected thousands of Linux machines in the last three to four years and that countless more could be next.
-
Dark Reading ☛ Near-'perfctl' Fileless Malware Targets Millions of Linux Servers [Ed: Misconfiguration, not "Linux"]
A multipurpose and mysterious malware dropper has been terrorizing Linux servers worldwide for years, infecting untold thousands of victims with cryptomining and proxyjacking malware. A fresh analysis has exposed its secrets — and a vast treasure trove of tens of thousands of exploit paths for compromising its targets.
An update
More of the same:
-
Security experts claim new 'Perfctl' malware could pose a risk to any GNU/Linux server
"Perfctl" malware targets any GNU/Linux server and serves as an extreme threat to all unsecured server operators.
More:
-
New Perfctl Malware targets Linux servers in cryptomining campaign
perfctl malware targets misconfigured Linux servers to deploy cryptocurrency miners and proxyjacking software in an ongoing campaign.
Microsoft reprinting these:
-
Linux systems are being hit by a wide-ranging and dangerous new malware
Called Perfctl, the malware was recently spotted by cybersecurity researchers from Aqua Security, who claim it has been around since at least 2021, and has so far infected thousands of Linux endpoints. There are two main ways threat actors deploy Perfctl - either by exploiting thousands of possible misconfigurations, or by abusing a 10/10 vulnerability discovered last year.
But the issue is not Linux, it's not new, and it's negligence:
-
Thousands of Linux systems infected by stealthy malware since 2021
The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33246, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.
Feels more like a marketing campaign for Aqua at this point:
-
New Perfctl Malware Attacking Millions of Linux Servers
A sophisticated and elusive malware known as “Perfctl,” has been discovered targeting millions of Linux servers worldwide.
Researchers at Aqua Nautilus have shed light on this malware, which has been actively exploiting over 20,000 types of misconfigurations in Linux servers over the past 3-4 years.
Just repeating the same talking points:
-
Linux Systems Vulnerable to perfctl Malware
Hackread reports that millions of Linux servers around the world have been subjected to intrusions with the newly discovered perfctl malware during the past few years.
Attacks commence with the targeting of vulnerable Apache RocketMQ servers with perfctl, which would then download the primary payload httpd for persistence and concealment before its execution to facilitate cryptocurrency mining and proxyjacking activities, according to an analysis from Aqua Nautilus.
It's not new at all and it's not the fault of Linux. It's actually very old and due to misconfiguration mostly:
-
Linux systems are being hit by a wide-ranging and dangerous new malware
Called Perfctl, the malware was recently spotted by cybersecurity researchers from Aqua Security, who claim it has been around since at least 2021, and has so far infected thousands of Linux endpoints. There are two main ways threat actors deploy Perfctl - either by exploiting thousands of possible misconfigurations, or by abusing a 10/10 vulnerability discovered last year.
Conde Nast:
-
Stealthy Malware Has Infected Thousands of Linux Systems for Years
Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools. Other stealth mechanisms include:
Similar but not the same:
-
New Snapekit Rootkit Malware Targeting Arch Linux Users
Snapekit is a sophisticated and stealthy rootkit that was specifically engineered to target “Arch Linux” systems running version “6.10.2-arch1-1” on “x86_64 architecture.”
One last FUD piece, hopefully:
-
How ‘perfctl’ malware infected millions of Linux servers undetected for years
Security researchers warn that a malware campaign dubbed perfctl has infected millions of Linux servers over the past three to four years by attempting to exploit around 20,000 misconfigurations that expose credentials or insecure admin interfaces.
Equipped with a backdoor, perfectl gives attackers wide latitude in the actions they can commit. It seems to be primarily used for resource theft. Its main payloads include a Monero cryptocurrency miner and proxyjacking software that enables others to use a system’s bandwidth.
“We discovered numerous incident reports in community forums, all describing indicators of compromise linked to this malware,” researchers from Aqua Security wrote in their report on perfctl, whose name comes from its cryptominer process, which is what most impacted users noticed and reported on forums.
Still spreading this:
-
Stealthy ‘Perfctl’ Malware Infects Thousands of Linux Servers
Researchers at Aqua Security are raising the alarm for a newly discovered malware family targeting Linux systems to establish persistent access and hijack resources for cryptocurrency mining.
The malware, called perfctl, appears to exploit over 20,000 types of misconfigurations and known vulnerabilities, and has been active for more than three years.
Focused on evasion and persistence, Aqua Security discovered that perfctl uses a rootkit to hide itself on compromised systems, runs on the background as a service, is only active while the machine is idle, relies on a Unix socket and Tor for communication, creates a backdoor on the infected server, and attempts to escalate privileges.
The malware’s operators have been observed deploying additional tools for reconnaissance, deploying proxy-jacking software, and dropping a cryptocurrency miner.
-
How ‘perfctl’ malware infected Linux servers undetected for years
Security researchers warn that a malware campaign dubbed perfctl has targeted millions of Linux servers over the past three to four years by attempting to exploit around 20,000 misconfigurations that expose credentials or insecure admin interfaces.
Equipped with a backdoor, perfectl gives attackers wide latitude in the actions they can commit. It seems to be primarily used for resource theft. Its main payloads include a Monero cryptocurrency miner and proxyjacking software that enables others to use a system’s bandwidth.
-
Linux systems targeted with stealthy “Perfctl” cryptomining malware
Thousands of Linux systems are likely infected with the highly elusive and persistent “perfctl” (or “perfcc“) cryptomining malware and many others still could be at risk of getting compromised, Aqua Security researchers revealed last week.
“In all the attacks observed, the malware was used to run a cryptominer, and in some cases, we also detected the execution of proxy-jacking software,” they shared.
Also very late:
-
Thousands of GNU/Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
Microsoft-friendly site:
-
From Perfctl to InfoStealer, (Wed, Oct 9th)
I dropped the malware in my lab to see how it detonated. I infected the lab without root privileges and detected the same behavior except files were not written to some locations due to a lack of access (not root). When executing without root privileges, the rootkit feature is unavailable and the malware runs "disclosed"./blockquote>