Episode 183

Posted on Friday, Dec 2, 2022
This week we look at a recent report from Elastic Security Labs on the global Linux threat landscape, plus we look at a few of the security vulnerabilities patched by the team in the past 7 days.

Show Notes

Overview

This week we look at a recent report from Elastic Security Labs on the global Linux threat landscape, plus we look at a few of the security vulnerabilities patched by the team in the past 7 days.

This week in Ubuntu Security Updates

81 unique CVEs addressed

[USN-5638-3] Expat vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5739-1] MariaDB vulnerabilities

[USN-5740-1] X.Org X Server vulnerabilities

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5736-1] ImageMagick vulnerabilities

[USN-5741-1] Exim vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5742-1] JBIG-KIT vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5743-1] LibTIFF vulnerability

[USN-5744-1] libICE vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

[USN-5745-1, USN-5745-2] shadow vulnerability & regression

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Upstream introduced a change in file-system handling in useradd that required newer glibc - broke on older Ubuntu releases so that update has been reverted for now on those releases - still is in place on Ubuntu 22.04 LTS / 22.10

[USN-5689-2] Perl vulnerability

[USN-5746-1] HarfBuzz vulnerability

[USN-5747-1] Bind vulnerabilities

[USN-5748-1] Sysstat vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5728-3] Linux kernel (GCP) vulnerabilities

[USN-5749-1] libsamplerate vulnerability

[USN-5750-1] GnuTLS vulnerability

[USN-5718-2] pixman vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

Goings on in Ubuntu Security Community

A look at Elastic Security Labs Global Threat Report

  • https://www.elastic.co/pdf/elastic-global-threat-report-vol-1-2022.pdf
  • Summarises the findings of the Elastic telemetry, which incorporates data from their various products like Endgame, Endpoint and Security solution.
  • 54% of malware on Windows, 39% on Linux, 6% on MacOS
  • Of those, top 10 are:
    • Meterpreter, Gafgyt, Mirai, Camelot, Generic, Dofloo, BPFDoor, Ransomexx, Neshta, Getshell
    • Of these 80% are trojan-based, 11% are cryptominers, 4% ransomware
      • Trojans commonly used to deploy stager and dropper binaries as part of wider intrusion effort
      • Cryptominers generally mining Monero - mostly composed of XMRig family
  • Also covers details on Windows and MacOS - interestingly Windows still has lots of CobaltStrike, Metasploit and MimiKatz which are all ostensibly red-team tools - also see lots of keyloggers as well as credential stealers (crypto wallets)
  • Mapped behaviour against MITRE ATT&CK - 34% doing defense evasion, 22% execution, 10% credential access, 8% persistence, 7% C², 6% privesc and 4% initial access
    • of this, masquerading (as another legitimate process) and system binary proxy execution (using existing system binaries to perform malicious actions) accounts for 72% of defense evasion techniques
  • Then dive into more detail on execution techniques (mostly native command and scripting interpreters - think PowerShell, Windows Script Host etc) and abusing Windows Management Instrumentation (WMI) - but won’t go too much into this here as this is the Ubuntu Security Podcast, not Windows ;)
  • Also cover metrics from the various public clouds - AWS had 57% of detections whilst GCP and Azure each had ~22% - why does AWS have so much more? AWS has at least ⅓ of the global cloud market share whilst Azure has 20% and GCP only 11%
    • Also perhaps AWS users prefer to use Elastic?
  • Activities they see most in the clouds are Credential Access, Persistence, Defense Evasion, Initial Access
  • 58% of initial access attempts use brute-force combined with password spraying
  • Report then breaks down each cloud to look at the activities mostly performed in each
    • AWS - access token stealing is top, Azure showed a large usage of valid account access to then attempt to retrieve other access tokens or do phishing, whilst for Google service account abuse was the top
    • Perhaps is more indicative of what each cloud is used for - ie AWS general purpose, whilst Azure is AD and managed services, and Google is service workers
  • Finally, the report does a deep dive on 4 different threat samples and then has forecasts and recommendations based on those
    • Of these most are windows specific, but one does predict that Linux VMs used for backend DevOps in cloud environments will be an increased target
    • This is not really surprising nor novel, and most OSS devs would likely expect this threat given the nature of modern CI/CD pipelines and the follow-up threat to code integrity / supply chain security etc (ie if an attacker can compromise these machines can then tamper with source code / build artefacts etc)
  • As always, requires organisations to have a good security posture and practice good security hygiene - configure for least privilege, audit what you have, deploy defense-in-depth solutions, monitoring and logging so can help detect and have good incident response etc
    • simple things too - deploy MFA, install security updates etc

Get in contact