Thousands!? Shit. That’s like all of them!
Shouldn’t be this hard to find out the attack vector.
Buried deep, deep in their writeup:
RocketMQ servers
- CVE-2021-4043 (Polkit)
- CVE-2023-33246
I’m sure if you’re running other insecure, public facing web servers with bad configs, the actor could exploit that too, but they didn’t provide any evidence of this happening in the wild (no threat group TTPs for initial access), so pure FUD to try to sell their security product.
Unfortunately, Ars mostly just restated verbatim what was provided by the security vendor Aqua Nautilus.
There’s also a buried reference to using a several-years-patched gpac bug to gain root access before this thing can do most of its stealth stuff.
Basically, it needs your system to already have a known, unpatched RCE bug before it can get a foothold, and if you’ve got one of those you have problems that go way beyond stealth crypto miners stealing electricity.
This story reeks of FUD.
exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets,
Because a “common misconfiguration” will absolutely make your system vulnerable!?!
OK show just ONE!
This is FUD to either prevent people from using Linux, or simply a hoax to get attention, or maybe to make you think you need additional security software.
Unfortunately they are already in the market and making a mess: https://www.theregister.com/2024/07/21/crowdstrike_linux_crashes_restoration_tools/
Can’t be infected if I keep wiping my partition for a new shiny distro
Your install USB is infected by a rookit and reinstalls itself on connect.
Seeing the diagram, it only attacks servers with misconfigured rocketMQ or CVE-2023-33426, which is already patched. Am I understanding this correctly?