On August 13th, the FBI and NSA released a joint Cybersecurity Advisory about a previously unnoticed malware, "Drovorub," deployed by Russian military intelligence hackers and designed specifically for Linux cyber espionage operations. The two agencies rarely issue joint reports, signifying U.S. concern surrounding Drovorub's potential threat to national security. This article explains what Drovorub is, why it is a threat, and what steps to take to mitigate your organization's risk.
How does Drovorub work?
Drovorub specifically infects Linux devices.
Once a device is infected, a malicious actor can connect to an included command-and-control server, and effectively control the device remotely. The malware toolset provides the actor with the ability to upload and download any files, execute commands as a root user, and even redirect network traffic to other hosts.
Because of its 'rootkit' capability, Drovorub is difficult to detect and remains on the device even after reboot. Drovorub provides capabilities to attackers to quietly open a backdoor into networks, leaving them vulnerable to an attack at any future time.
Why is Drovorub a threat?
In small companies, malware attacks cost an average of $2.6 million dollars annually. For large multinational companies, malware-induced damages can exceed $239 million per incident. But particularly vulnerable is critical infrastructure—these organizations stand to lose over $300 million per incident, yet are the least protected.
Unfortunately, attacks on critical infrastructure are on the rise. The NSA and CISA warn foreign adversaries increasingly target U.S. critical infrastructure, due to its importance to national security and disruptive potential for civilian life.
Most critical infrastructure was not designed to defend against sophisticated cyber adversaries, and most modern security tools were not designed to protect decades-old infrastructure. As a result, U.S. infrastructure—the systems we rely on for water, electricity, power, and more—remains vulnerable and unprotected.
What do the FBI and NSA recommend to protect yourself from Drovorub?
The two main recommendations listed in the report include:
- All U.S. organizations should update any Linux system to a version running kernel version 3.7 or later.
- System owners should configure systems to load only modules with a valid digital signature, to make it more difficult for an actor to introduce a malicious kernel module into the system.
The FBI/NSA document provides 45 pages of significant technical detail and is well worth the read.
How can you implement the FBI and NSA's recommendations?
In addition to implementing their recommendations, organizations should consider using disposable virtual desktops for endpoints connecting to industrial control environments.
Two key features of virtual desktops fulfill the FBI and NSA's recommendations:
(1) Automated Updating: Since they are temporary in nature, virtual desktops can be configured to always rebuild with the latest updates and patches, ensuring that your systems always run the latest version.
(2) Custom Golden Image: Virtual desktops can be launched from a custom golden image template, ensuring that every Linux device connecting to your network has strict security protocols pre-configured, so an actor cannot introduce a malicious kernel module into your system.
Virtual desktops that destroy and rebuild every single day significantly reduce an adversary's time frame to locate, infect, and launch malware onto the network. By acting as disposable, sacrificial components, virtual desktops ensure a network's vulnerabilities are never persistent, thwarting attacks at the reconnaissance stage.
About Dispel
Dispel provides virtual desktops designed to protect critical infrastructure from malware infections. If you are looking for secure, easy-to-use intermediary devices for your team and vendors, visit dispel.io to schedule a demo.
References:
https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50
https://digitalguardian.com/blog/cost-malware-infection-maersk-300-million