Security experts claim new ‘Perfctl’ malware could pose a risk to any Linux server

[Pelican Press 0]

This is the hidden content, please

• Sign In
• or
• Sign Up

Security experts claim new ‘Perfctl’ malware could pose a risk to any Linux server

data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///ywAAAAAAQABAAACAUwAOw==

On October 3, Aqua Nautilus researchers posted a blog post revealing what they know about a specific Linux malware dubbed “Perfctl” that’s been targeted at Linux servers over the past three to four years, using “more than 20,000 types of misconfigurations” as ******* vectors to begin exploitation. Once exploitation began, the malware would use a rootkit to conceal itself and inevitably begin stealing CPU resources for crypto mining use. It hid mining traffic and potential instructions for ********* commands and surveillance through Tor-encrypted traffic.

This Perfctl malware is quite a severe and persistent threat, considering how long it has remained in the wild. A sneaky crypto miner would be bad enough, but Perfctl can also gain greater ********* access to the entire system through certain vectors, which could prove an even greater security issue. It’s also difficult to properly detect the hijacked processes when diagnosing impacted servers. It can hide its crypto mining activity from you entirely, throwing back CPU utilization numbers that omit its activity.

Fortunately, there are mitigations that server operators can take to help alleviate the threat presented by Perfctl.

Aqua Nautilus-Recommended Perfctl Malware Mitigations

1. Patching all potential vulnerabilities, in particular vulnerabilities for applications like RocketMQ servers and the Polkit vulnerability. Keeping libraries up to date is advised.
2. Restrict file ********** by setting “noexec” on /tmp, /dev/svm, and “other writable directories” that are being used to ******** this malware.
3. Disable optional and unused services, in particular “those that may expose the system to external attackers, such as HTTP services”.
4. Implement strict privilege management by restricting root access to critical files and directories, as well as employing Role-Based Access Control (RBAC) to limit what users and processes can access or modify.
5. Segment the network by either isolating critical servers from the Internet or using firewalls to block outbound communications, “especially Tor traffic or connections to crypto mining pools”.
6. Finally, deploy runtime protection by using “advanced anti-malware and behavioral detection tools that can detect rootkits, crypto miners, and fileless malware like Perfctl”.

Hopefully, server operators can avoid this exploit or fix it where present now that this exploit and mitigations are so well-documented. For more detailed information on how the attacks functioned and what Aqua Nautilus learned by honey-potting and sandboxing them, consider checking out the full, several-page blog post documenting the issue over at

This is the hidden content, please

• Sign In
• or
• Sign Up

.

Otherwise, if you aren’t a Linux server operator, hope that your information isn’t on any of the Linux servers already compromised by this issue, and make sure you’re following proper cybersecurity practices in your day-to-day life.

Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.

This is the hidden content, please

• Sign In
• or
• Sign Up

#Security #experts #claim #Perfctl #malware #pose #risk #Linux #server

This is the hidden content, please

• Sign In
• or
• Sign Up

This is the hidden content, please

• Sign In
• or
• Sign Up