The reporting this week focuses on further campaigns targeting Linux systems, which has become a more attractive target for threat actors with the increase in remote working. Our examples also show that these operations have differing objectives. The Panchan botnet has targeted Linux systems in order to mine cryptocurrency by harvesting SSH credentials and thus allowing the botnet to infect other devices within the compromised network. We have also seen variants of the Hello XD ransomware strain target Linux and deploy a backdoor that facilitates remote access to the infected device. Operators of this ransomware strain are known to engage in double extortion, a tactic that involves the theft of data with a threat to leak it online, in addition to the encryption as a means of forcing the victim to pay a ransom.

Recently, we observed a sophisticated Linux malware target financial sector companies based in Latin America. The malware includes defence evasion techniques that highlight its complexity, and this stealthy behaviour points to espionage as its primary purpose for compromising these Linux systems. We assess that the increase in companies using Linux-based systems to host business critical services has led to a greater number of misconfigured or poorly managed systems that are being exploited by capable threat actors.

Key Vulnerabilities

  1. CVE-2022-27511
    This vulnerability in Citrix Application Delivery Management (ADM) software (CVSS:8.1|OVSS:49) could allow a remote unauthenticated user to corrupt the system and trigger an administrator password reset at the next reboot. Additionally, threat actors with SSH access could connect with default administrator credentials once the device has rebooted.
  2. CVE-2022-27512
    This vulnerability in Citrix ADM software (CVSS: 5.3| OVSS: 39) causes temporary disruption to the ADM license service, which includes the prohibition of new licenses being issues or existing licenses being renewed.
  3. CVE-2022-32158
    A vulnerability (CVSS: 9.0| OVSS:24) within the Splunk Enterprise deployment servers in versions prior to 9.0 could allow a threat actor, that has compromised a Universal Forwarder endpoint, to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server.

Key Intelligence Reports

  1. Chinese espionage unit GALLIUM targets multiple sectors with new PingPull RAT. Read full report >>
  2. Panchan botnet targets Linux servers for cryptocurrency mining. Read full report >>
  3. Hello XD ransomware installs MicroBackdoor on Windows and Linux systems. Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny.

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)