SoylentNews is people
SoylentNews
Hive ransomware now encrypts Linux and FreeBSD systems:
The Hive ransomware gang now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms.
However, as Slovak internet security firm ESET discovered, Hive's new encryptors are still in development and still lack functionality.
The Linux variant also proved to be quite buggy during ESET's analysis, with the encryption completely failing when the malware was executed with an explicit path.
It also comes with support for a single command line parameter (-no-wipe). In contrast, Hive's Windows ransomware comes with up to 5 execution options, including killing processes and skipping disk cleaning, uninteresting files, and older files.
The ransomware's Linux version also fails to trigger the encryption if executed without root privileges because it attempts to drop the ransom note on compromised devices' root file systems.
"Just like the Windows version, these variants are written in Golang, but the strings, package names and function names have been obfuscated, likely with gobfuscate," ESET Research Labs said.
[...] In the past, the Snatch and PureLocker ransomware operations have also used Linux variants on their attacks.
(Score: 5, Informative) by canopic jug on Saturday October 30 2021, @12:06PM (10 children)
Digging through the "article" there is precious little information about what's really going on there. However, there are some clues which strongly suggest that this only affects VM guests running on Windoze hosts and that the way in is via the Windoze host not the Linux or FreeBSD system itself. In other words, this looks like more of the same, especially when you take the source Bleeping Computer into account. It has a long history of pushing Windows and spewing FUD and disparagement against all the better systems.
Money is not free speech. Elections should not be auctions.
(Score: 2) by Runaway1956 on Saturday October 30 2021, @04:29PM (1 child)
Thanks for digging, it saves work for the rest of us.
Funny thing about Linux. In general, any newly discovered threats that are serious are addressed in an update, soon after discovery. I can't remember ever having to dig into my configurations to mitigate a threat. Simply observing standard security precautions seems to be all we need to do.
Abortion is the number one killed of children in the United States.
(Score: 2) by Bill Evans on Sunday October 31 2021, @11:03AM
FreeBSD is also good about issuing timely security advisories.
-- Brandon shot JFK. People are saying.
(Score: 1, Funny) by Anonymous Coward on Saturday October 30 2021, @07:48PM (7 children)
(Score: -1, Troll) by Anonymous Coward on Saturday October 30 2021, @11:01PM (6 children)
ESXi is proprietary, insecure crap. Basically it's a Windows application and not Linux. If it were Linux then it would have open source code and in which case you could point us to the source repository for it and we'll take a look.
<crickets>
Thought so.
(Score: 3, Informative) by Anonymous Coward on Saturday October 30 2021, @11:19PM (5 children)
Different AC. ESXi is a type 1 hypervisor. By definition, it isn't an application on Windows or Linux because it doesn't run on an operation systems. It runs on the bare metal and you run operating systems on top of it. You don't even need a Windows or Linux machine involved anywhere in the ecosystem to run ESXi. This is a much bigger deal than just Linux machines hosted on Windows. Well if the malware worked properly, it would be.
(Score: 1, Troll) by canopic jug on Sunday October 31 2021, @05:49AM (2 children)
Ok, so then the the way in is via a proprietary operating system, the ESXi host, still not Linux. In what way is a bug in a proprietary VM underneath the guest operating system a "Linux" problem? Or for that matter, how is it even a big deal? If there was a way from the outside directly into the Linux or FreeBSD guest, that would be a big problem. But that is not what Bleeping Computer has described.
Money is not free speech. Elections should not be auctions.
(Score: -1, Troll) by Anonymous Coward on Sunday October 31 2021, @07:03AM
You're worse than Bleeping Computer. You were spreading FUD and lies that ESXi is a Windows host. And trying to weasel out of the fact that you were wrong.
Bleeping Computer was not as wrong as you are. Despite your lies the stuff does run on Linux and targets ESXi. https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version [att.com]
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @08:06AM
ESXi is a type 1 hypervisor. It is not the host. It is not a virtual machine. And if you don't see how having ring -1 access to a system means that the ring 0 kernel on top is in big trouble, I'm not sure how to describe how bad it is other than to remind you that the general technique is to pivot your way across the system. You need access at both levels to do irrecoverable damage in a setup like that and you'd better believe that the next payload (or the current one they missed) is going to extend the techniques used even farther. Having ESXi access and a Linux/FreeBSD/POSIX agent means that not only are your machines fucked, but your SAN/NAS, backups, and even offsites if you aren't careful.
(Score: 2, Touché) by canopic jug on Sunday October 31 2021, @08:03AM (1 child)
Well if the malware worked properly, it would be.
Yes, the potential for mischief is great, but so is anything else with root access. Once inside the guest, the malware proprietors appear to only be having trouble learning "wget" or "curl", "find", and "gpg" and putting them into a shell script.
Again, how is it even a big deal in the context of Linux or FreeBSD? It sounds like the flaw is only with ESXi. Having access to the VM host generally gives full access to the guests. It is the equivalent to having physical access on normal systems running on bare metal.
Money is not free speech. Elections should not be auctions.
(Score: 1, Informative) by Anonymous Coward on Sunday October 31 2021, @08:36AM
Three reasons. First, guests are usually your access into the rest of the system. Second, you need a payload on both layers to do real damage. Third, the less tricks you have to do at the hypervisor level, the longer you get to keep them and the lower risk. This means you can expect a larger number of Linux/FreeBSD 0-days getting dropped now that they have a proper payload.
(Score: 2) by Opportunist on Saturday October 30 2021, @12:07PM (16 children)
Back in the good old days, at least malware was still the domain of the assembler and C gurus.
Today, even that bastion has fallen and even they know jack shit about programming anymore.
(Score: 1, Insightful) by Anonymous Coward on Saturday October 30 2021, @01:12PM (11 children)
(Score: 0, Disagree) by Anonymous Coward on Saturday October 30 2021, @02:30PM (8 children)
If only vi weren't such a user hostile, archaic piece of crap...
It's the current Linux standard, so I use it, but man, is it painful and basic-ass.
(Score: 2) by Thexalon on Saturday October 30 2021, @02:45PM (5 children)
You're right, vi and emacs both suck! I'm sticking with EDLIN.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Funny) by RS3 on Saturday October 30 2021, @06:46PM (3 children)
Just use ed. (ugh).
I don't know if you're kidding, but edlin looks worth a try. I (very) occasionally still use a tiny useful editor on DOS called "ted". Came with some magazine's (PC?) utility collection.
On Linux I can't live without joe (text editor).
In searching for edlin info I came across this- someone may enjoy: https://cs.ccsu.edu/~pelletie/local/humor/computers/general/Why_I_like_my_IBM_3090.html [ccsu.edu]
My favorite is #4 in the 2nd group.
(Score: 2) by Thexalon on Saturday October 30 2021, @07:57PM (1 child)
I'm definitely kidding - I had to contend with Edlin back in the day when fixing a broken DOS machine. Edlin is basically Microsoft's even more broken version of ed.
Joe, Nano, Vi, Emacs, Notepad, and pretty much anything else is an improvement.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Freeman on Monday November 01 2021, @02:03PM
Notepad++ is my happy place, I use it a ton, but the thing I use it for the most is the Macro functionality. Nothing like automating something a monkey could do.
Vi is the Linux go-to, if I'm working with a command line interface. There's not much of a reason to be using a command line editor for Windows, though. Batch files can be handy, though.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Informative) by Reziac on Sunday October 31 2021, @02:35AM
Just in case you want a few more... 1956 of 'em.
http://www.texteditors.org/cgi-bin/wiki.pl?TextEditorFamilies [texteditors.org]
http://www.texteditors.org/cgi-bin/wiki.pl?EditorIndex [texteditors.org]
And there is no Alkibiades to come back and save us from ourselves.
(Score: 0) by Anonymous Coward on Sunday October 31 2021, @04:55AM
Will edlin for windows run under wine?
(Score: 0) by Anonymous Coward on Saturday October 30 2021, @02:49PM (1 child)
Just don't release it as open source. It's something to scratch your own itch, not further pollute the software ecosystem.
If people concentrated on scratching their own itch instead of doing shit like go/golang (yeah, right, like the world needs yet another language with interfaces because multiple inheritance is hard (it's not) …
If there's one lesson we failed to learn from Java, it's that inheritance instead of a proper functioning class system with multiple inheritance is wrong. But then again, people who claim to be programmers can't even do their own memory management …
(Score: 2) by HiThere on Saturday October 30 2021, @07:10PM
That's not what bothers me about golang. Interfaces are a reasonable approach. What I don't like is the horrible trend toward requiring web access to do things. Go doesn't appear to be quite as bad about that as Rust, but I haven't used either of them enough to be sure. Just enough to be sure that I don't trust them.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Saturday October 30 2021, @07:36PM (1 child)
Now if they could only make the ransomware run in emacs.
(Score: 1, Funny) by Anonymous Coward on Sunday October 31 2021, @01:52AM
M-x M-! pwn-me.sh
(Score: 0) by Anonymous Coward on Saturday October 30 2021, @04:30PM (3 children)
Back in the good old days if you got hit with a vius you just wiped and re-installed, and copied your data from local backups.
No need for anything but your own "personal cloud", whether it was stacks of floppies, cd/dvds, usb memory sticks, or an external drive.
Seriously, how many of those pictures and videos that clog up your drives have you actually looked at? By the time you "get around to it" you won't recognize them because you'll have Alzheimers.
(Score: 3, Funny) by Runaway1956 on Saturday October 30 2021, @06:12PM (2 children)
Not just pics and personal stuff. I've had the same /home directory for a long time. It started out as a separate directory on a 256 gig spinning rust drive. Migrated it to a larger drive, then to an SSD, then to a larger SSD. It just keeps growing and growing. Finally had to move all my virtual machines to the RAID array to get back some room. At which point, I started browsing all the stuff in my home directory. HOLY SMOKES!! Delete this, move that to RAID, delete something else, so on and so forth. If I had to, I could migrate /home back to a 256 drive, but then I'd miss out on the fun of collecting another 500 gig of useless stuff!
Abortion is the number one killed of children in the United States.
(Score: 2) by jasassin on Sunday October 31 2021, @04:39AM (1 child)
I like your post! A friend mine, on more than one occasion, talks about knowing he has but it's just easier for him to torrent the shit again. So he has multiple copies of the same thing, and he's too lazy to sort through the massive amount of shit to delete the redundancy. I'm sure there's a Windows program that would automatically do that, but yikes... sounds iffy... like a great way to lose all your shit.
Shrugs.
jasassin@gmail.com GPG Key ID: 0x663EB663D1E7F223
(Score: 3, Informative) by RS3 on Monday November 01 2021, @12:55AM
Ccleaner has a duplicate file finder: left-hand menu: Tools -> Duplicate Finder
There are many duplicate finder utilities out there. It's not so much that I don't trust the utilities, but in some cases the dupe might be needed in both places, or it can be ambiguous as to which is the necessary one. But you can go through and hand pick each one before deleting.
(Score: 5, Funny) by Anonymous Coward on Saturday October 30 2021, @03:31PM (1 child)
"The ransomware's Linux version also fails to trigger the encryption if executed without root privileges"
Laughs in Linux.
(Score: 3, Informative) by HiThere on Saturday October 30 2021, @07:13PM
That just means it isn't currently dangerous, and is lurking there waiting for the first zero-day exploit. The "means of infection" is more significant. If you can only get infected in the first place if you're running on top of MSWindows, then I'm not really worried.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.