A new Linux rootkit Puma kit uses advanced stealth techniques to avoid detection. Microsoft confirms critical windows defender vulnerabilities, new Android and windows malware downgrades browser security, and 30, 000 Android devices in Germany were found with pre installed malware. This is cybersecurity today. I'm your host, Jim Love. A newly discovered Linux rootkit named PumaKit is raising alarms for its advanced stealth capabilities.
Cybersecurity researchers at Elastic Security Lab describe it as a loadable kernel module, LKM, rootkit, with sophisticated methods to escalate privileges, hide files, and evade detection by system tools. Elastic noted that every stage of PumaKit's infection chain is designed to hide its presence. It leverages memory resident files, leaving little forensic evidence, and performs specific checks like secure boot validation before unleashing the rootkit.
This meticulous approach ensures it activates only under precise conditions. Key to its design is a multi stage architecture. The attack begins with the dropper disguised as the Linux cron binary, deploying two memory resident executables and the LKM rootkit puma. ko. Another component, a userland rootkit named kitsune helps maintain persistence. It also manipulates the internal Linux system calls, a technique known as syscall hooking to alter system behavior and escalate privileges.
While Elastic Security Lab found the malware through uploads on VirusTotal, they haven't attributed it yet to any known threat actor. The researchers stress that PumaKit's multi architectural design and stealth techniques demonstrate the growing sophistication of Linux targeted threats. Microsoft has confirmed a critical vulnerability in Windows Defender tracked as CVE 2024 49071. Which could have allowed attackers to access sensitive information through a global file search index.
The flaw arose from improper authorization controls on the search index, potentially enabling an attacker to disclose file contents across a network. According to the Debricked vulnerability database, the exploit required some degree of access to Windows Defender and had a low attack complexity. However, there have been no known cases of the vulnerability being exploited. Microsoft addressed this issue server side, stating that no user action is required.
This approach aligns with the company's recent transparency policy to disclose critical cloud service vulnerabilities, even when they are resolved without requiring customer intervention. Interestingly, we recently covered a story about legislation in the U. S. designed to speed up vulnerability disclosures, but instead of improving transparency, it's had an unintended effect of making some companies less informative.
One notable exception, Microsoft, which seems to be setting a gold standard for disclosure and transparency, fixing a flaw quietly while still making a complete and public disclosure is another excellent example of their proactive approach. And while the vulnerability highlights the risks associated with automated indexing systems, Microsoft's proactive response and transparency reinforce the importance of quickly addressing and openly communicating about security flaws.
A newly discovered malware campaign is targeting Android and Windows devices by using a novel tactic downgrading web browsers to older vulnerable versions. Trend Micro researchers recently revealed that a group called Earth Minotaur is behind this attack which combines the Moonshine Exploit Kit with the Dark Nimbus Backdoor. The moonshine exploit kit specifically targets vulnerabilities in Android instant messaging apps, while the dark Nimbus backdoor has variants for both Android and Windows.
What makes this campaign particularly alarming is it's downdating tactic. If the malware detects that your browser is protected against its exploits, it attempts to roll back the browser to an unpatched version and then execute the attack. Trend Micro's analysis uncovered at least 55 servers supporting this operation with a primary focus on the Tibetan and Uyghur communities. However, researchers warn this campaign could expand to a broader demographic.
The attack relies on checking browser vulnerability status before deploying its malicious payload makes it both targeted and efficient. This approach highlights the need for constant vigilance in keeping browsers and other security software up to date. It also underscores the importance of layered security as attackers increasingly find ways to bypass traditional defenses.
Germany's Federal Office for Information Security, the BSI, has uncovered a malware outbreak affecting 30, 000 Android devices. The malware, known as BadBox, was pre installed on devices such as digital picture frames and media players before purchase. These products run outdated versions of Android, leaving them very vulnerable. BadBox embeds itself in the device firmware and can turn affected devices into proxies for launching cyber attacks.
It can also download additional malware to commit click fraud by accessing websites and ads in the background. To counter this, BSI has implemented a sinkholing measure, redirecting traffic from infected devices to government controlled servers to prevent communication with hacker command centers. BSI has assured users there's no immediate danger as long as the sinkholing remains active, but it urges affected users to disconnect devices from the internet.
Telecommunications providers are notifying users based on IP addresses linked to the malware. Google responded to this issue clarifying that the infected devices were not Play Protect certified. Play Protect certified devices undergo rigorous testing to ensure security and compatibility. Consumers are encouraged to verify the device's certification on Google's Android TV, website, or through device settings.
This incident serves as a reminder to exercise caution when purchasing electronics from lesser known brands. Ensuring devices have up to date operating systems and robust manufacturer support is key to avoiding such risks. , and even in the corporate setting, I'm reminded of the enormous amount of fake Cisco devices that have been sold to enterprises. We need to be very cautious about what we buy and from whom. And that's our show for today. You can find links in our show notes at technewsday.
com or ca. Take your pick. You can reach me with comments, questions, or tips at editorial at technewsday. ca. I'm your host, Jim Love. Thanks for listening.