The aim of this post is to cover how Chinese malware has been exploiting the vulnerabilities of the major operating systems including Windows, Linux, and Android for about eight years.
Have you ever heard about cyber espionage? Well! I guess we all have seen some fantastic movies related to that. But, this post is here to reveal some really interesting facts that are far beyond the espionage movies you’ve seen.
The news spread on the internet like wildfire while researchers and big shots were looking for the possible headway to control such nefarious future attempts.
I will also mention my take on the security implications while using Linux or Windows, but before that let me explain to you the new research revealed by the BlackBerry research and intelligence team.
According to the BlackBerry research, five cyber-espionage groups were involved in attacking Linux environments including CentOS, Red Hat Enterprise, and Ubuntu.
It is also mentionable that Linux is the most powerful backend infrastructure that supports Google, Yahoo, and Amazon. Linux is also included in the list of the world’s supercomputers. Besides that, the Chinese cyber-espionage groups were also attacking windows and android systems.
All five hacking groups were allegedly supposed to be civilian contractors working for the Chinese government.
These five groups were working for different purposes however, they share tools and techniques, interact with each other, and are connected to an original Chinese APT group called WINNTI.
The Need For Linux VPN
The BlackBerry report also says that Linux holds a major portion of the information. Many large data centers are relying on Linux plus, it also manages the world’s main stock exchanges. The aim of the Chinese attackers was solely to monitor and steal intellectual property information.
Well! I think that Linux could be a good choice for attackers since it is not a security-focused OS. It’s a free open-source operating system and anyone can study and run it. Only using a Linux VPN will not be a security assurance.
Anyway, let’s get back to the report! The BlackBerry research also set forth that these cyber hackers were stealing Linux information for almost eight years.
According to the researchers, these cyberespionage groups were using Linux malware toolset consisting of kernel-level rootkits and three backdoors.
Also, it has been confirmed that an active toolkit was planted on March 12, 2012. One major reason of remain under the radar for such a long period was that Linux is not a user-facing technology, and therefore, security companies never paid attention to that which is why the hackers easily targeted it and continuously spy sensitive information of the enterprises for years without anyone knowing.
The researchers believe that this undocumented malware toolkit could possibly be connected to the largest Linux botnets, and might result in infecting numerous organizations. Moreover, the length of the malware infection may also be lengthy in terms of duration.
The attackers were quite smart. They found unpatched servers and formed persistent malware on the network. It helped them to access data and private information, and also provided a back door to use whenever they want without damaging the servers.
Since they didn’t comprise the servers therefore, they remain undetected for a long time. The Chinese hackers never attempted any kind of ransomware or encryption so no one ever doubted. In case, if they would do such practice then they surely get caught. But, it was a clever, quiet and sophisticated attack.
However, the attackers fail to wipe away all the evidence and the research team finally exposed the hackers’ links with the Chinese Government.
Usually, when you work as a subcontractor (just like the Chinese APT groups) you leaked some information while deploying tools. It happens because of operational security gaps that ultimately lead to the disclosure.
Who Is A Target For Chinese Malware?
As I mentioned above that the Chinese Malware “Golang” is targeting Linux, Android, and Windows. The Golang malware is particularly aiming to target application servers, non-HTTPS services, and web application frameworks. The malware is however not affecting the end-users.
When this malware attacks a machine, it grabs/downloads all the files of the platform that has been attacked by it. Specifically for Windows, this malware leaves the backdoor user.
Since the Golang malware is spreading and incessantly looking for the new vulnerable machines. It is raising the security bar for organizations around the world.
Companies are required to pay more attention to their cybersecurity. There should be properly configured web application firewalls to defend their vulnerable machines from being attacked by “Golang” or any similar malware.
Is There Another Possible Way Around?
For a general user, the practice is to implement security tools like Windows or Linux VPN, Firewalls, and antivirus software. For OS and servers, the best approach is to keep updating and continually patch vulnerabilities. It will automatically stop hackers from exploiting existing vulnerabilities of a system or network.
Moreover, there’s nothing that a single platform can do to control cyber-attacks or surveillance. There must be an all-round approach, meaning security should be implemented in all directions. Every single operating server and network should be vigilant about it. Windows, Android, Linux, and other platforms should be equally concerned about the fact and work accordingly to beat such malware toolkits.