Malware is a collective term for any software created to cause disruption in a computer or network. Linux has an enviable reputation when it comes to protecting against malware and viruses. However, hacking communities strive to create malware to extort data, steal private information, or gain unauthorized access to Linux systems.

In recent months hackers have been making headway in compromising the Linux operating system when specific conditions are met. OrBit is the fourth variant of offensive malware discovered in the last 12 months, the others being BPFDoor, Symbiote, and Syslogk.

As hackers have increased their activity targeting Linux, OrBit appears to be the next step in compromising a popular operating system used extensively in the data center and the cloud. A compromised Linux server can provide remote SSH access to the server and even harvest credentials via a key logger. In addition, all TTY commands typed into the console are logged.

How Does OrBit Infect?

OrBit is serious malware posing a significant risk to anyone who operates a Linux workload. The good news is that OrBit’s infecting a server requires root credentials to activate the malware. This makes it much harder to deliver the payload, especially for security-conscious businesses with SELinux enabled.

The attack vectors involve brute force root password attacks against the target Linux server. This is achieved via social engineering, phishing, or perhaps rogue employees. Root access is essential to get the elevated permissions required to deliver the malware payload.

OrBit malware uses two different methods to load a malicious library into memory:

  1. By adding a shared object to the configuration file used by the loader.
  2. By patching the binary of the loader, so it loads a malicious shared object.

This unique approach essentially makes the malware impossible to detect. It uses symlinks to fundamental processes and hides in plain sight. According to Intezer, the organization that discovered OrBit, the malware is impossible to see using standard monitoring, and 0 out of 60 antivirus products tested could recognize the malware payload.

Hiding in Plain Sight

The OrBit malware functions in a way that hides the payload in plain sight. It’s almost invisible to the operating system. Data is saved in small hidden files and sent out masked as DNS A records to a command and control server located somewhere on the Internet.

The malware logs all keystrokes on the server and duplicates this data to the C&C, essentially publishing root access to the hacker. The malware is clever. Nearly all output related to the malware is redacted. Any malicious output is masked and will never get outputted to log files, so the Linux Kernel doesn’t know it exists.

How to Protect Against OrBit

Preparation is the best defense against OrBit malware, and introducing security controls for important cloud assets is essential in today’s security-conscious workplace. Unfortunately, not all employees are seasoned security professionals, and the basic security principles and concepts must be taught and practiced throughout the business.

The Threat Actors are cybercriminals, hackers, hacktivists, insiders, and occasionally state-sponsored actors who target businesses and government institutions for personal gain. Most actions are financially motivated, while some want to vandalize or disrupt the industry. State-sponsored threat actors want to steal intellectual property and secrets or disrupt major enterprise businesses for political gain.

Industry best practice is to disable the root account and only have sudo root access to specific power users. Additionally, it is best practice to have very complex root passwords if you have to use root. A secure password must be a non-dictionary word that uses letters, numbers, symbols, and special characters.

Consider splitting their permissions for different tasks and specific use cases for cloud administrators or privileged users. For example, perhaps assign read-only roles for everyday tasks such as reviewing logs and inspecting infrastructure, reserving power user or administrator privileges for significant changes such as building infrastructure as code.

Additionally, implementing a defense-in-depth strategy when it comes to cybersecurity – that is, a strategy that recognizes that security control can fail. With a defense-in-depth strategy, you create multiple layers of security to ‘catch all’ threats. This layered approach helps to minimize the risk of a security breach and create boundaries of trust that protect the environment even if other components are compromised.

Choose a Security Conscious Hosting Provider

If your business is concerned about cybersecurity, please contact Atlantic.Net. We are specialists in Managed Services, Dedicated Hosting, Cloud Hosting, and HIPAA compliance. Security of our infrastructure is paramount, and we work hard to ensure we have the best security processes in place.

Get in touch today.