• Destide@feddit.uk
    link
    fedilink
    English
    arrow-up
    71
    arrow-down
    1
    ·
    3 months ago

    Can’t be infected if I keep wiping my partition for a new shiny distro

  • CyberSeeker@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    68
    arrow-down
    1
    ·
    3 months ago

    Shouldn’t be this hard to find out the attack vector.

    Buried deep, deep in their writeup:

    RocketMQ servers

    • CVE-2021-4043 (Polkit)
    • CVE-2023-33246

    I’m sure if you’re running other insecure, public facing web servers with bad configs, the actor could exploit that too, but they didn’t provide any evidence of this happening in the wild (no threat group TTPs for initial access), so pure FUD to try to sell their security product.

    Unfortunately, Ars mostly just restated verbatim what was provided by the security vendor Aqua Nautilus.

  • Buffalox@lemmy.world
    link
    fedilink
    English
    arrow-up
    66
    arrow-down
    3
    ·
    edit-2
    3 months ago

    This story reeks of FUD.

    exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets,

    Because a “common misconfiguration” will absolutely make your system vulnerable!?!
    OK show just ONE!

    This is FUD to either prevent people from using Linux, or simply a hoax to get attention, or maybe to make you think you need additional security software.

  • luciddaemon@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    31
    ·
    3 months ago

    Seeing the diagram, it only attacks servers with misconfigured rocketMQ or CVE-2023-33426, which is already patched. Am I understanding this correctly?

    • cron@feddit.org
      link
      fedilink
      English
      arrow-up
      8
      ·
      3 months ago

      It probably has a large database of exploits it can use. The article claims 20k, but this seems to high for me.

  • li10@feddit.uk
    link
    fedilink
    English
    arrow-up
    13
    ·
    3 months ago

    Sounds like it should at least be noticeable if you monitor resource usage?

      • li10@feddit.uk
        link
        fedilink
        English
        arrow-up
        9
        ·
        3 months ago

        Sure, but it’s still fairly detectable when it’s on a server at least, as long as you have monitoring. Just a bitch to pinpoint and fix.

    • cron@feddit.org
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      3 months ago

      Yes, but they replace common tools like top or lsof with manipulated versions. This might at least trick less experienced sysadmins.

      Edit: Some found out about the vulnerability by ressource alerts. Probably very easy in a virtualized environment. The malware can’t fool the hypervisor ;)

      • li10@feddit.uk
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        3 months ago

        Not quite the monitoring I’m talking about though.

        Basically, it seems like this would be a nightmare for a home user to detect, but a company is probably gonna pick up on this quite quickly with snmp monitoring (unless it somehow does something to that).

    • linearchaos@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      3 months ago

      Vulnerable to 20,000 misconfigurations, But thearted by 42 billion different simple checks that we all do anyway.

      5 minute load greater than 80% of the number of cores? That’s an alarm…

  • sunbeam60@lemmy.one
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    3 months ago

    Luckily I sit right next to my home server and can hear when the fans kick in under load. The absence of noise tells me I don’t have this problem :)

    • misk@sopuli.xyzOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      Mine is ultra low voltage and I barely maintain it so this article gave me a bit of a scare. I’ll probably wipe it by the next reinstall anyway since it’s been nearly 10 years of Ubuntu LTS upgrades and it’s a mess (both what I’ve done to it and what Ubuntu has done to itself).