On October 3, Aqua Nautilus researchers posted a blog post revealing what they know about a specific Linux malware dubbed “Perfctl” that’s been targeted at Linux servers over the past three to four years, using “more than 20,000 types of misconfigurations” as attack vectors to begin exploitation. Once exploitation began, the malware would use a rootkit to conceal itself and inevitably begin stealing CPU resources for crypto mining use. It hid mining traffic and potential instructions for backdoor commands and surveillance through Tor-encrypted traffic.
This Perfctl malware is quite a severe and persistent threat, considering how long it has remained in the wild. A sneaky crypto miner would be bad enough, but Perfctl can also gain greater backdoor access to the entire system through certain vectors, which could prove an even greater security issue. It’s also difficult to properly detect the hijacked processes when diagnosing impacted servers. It can hide its crypto mining activity from you entirely, throwing back CPU utilization numbers that omit its activity.
Fortunately, there are mitigations that server operators can take to help alleviate the threat presented by Perfctl.
Aqua Nautilus-Recommended Perfctl Malware Mitigations
- Patching all potential vulnerabilities, in particular vulnerabilities for applications like RocketMQ servers and the Polkit vulnerability. Keeping libraries up to date is advised.
- Restrict file execution by setting “noexec” on /tmp, /dev/svm, and “other writable directories” that are being used to execute this malware.
- Disable optional and unused services, in particular “those that may expose the system to external attackers, such as HTTP services”.
- Implement strict privilege management by restricting root access to critical files and directories, as well as employing Role-Based Access Control (RBAC) to limit what users and processes can access or modify.
- Segment the network by either isolating critical servers from the Internet or using firewalls to block outbound communications, “especially Tor traffic or connections to crypto mining pools”.
- Finally, deploy runtime protection by using “advanced anti-malware and behavioral detection tools that can detect rootkits, crypto miners, and fileless malware like Perfctl”.
Hopefully, server operators can avoid this exploit or fix it where present now that this exploit and mitigations are so well-documented. For more detailed information on how the attacks functioned and what Aqua Nautilus learned by honey-potting and sandboxing them, consider checking out the full, several-page blog post documenting the issue over at AquaSec.
Otherwise, if you aren’t a Linux server operator, hope that your information isn’t on any of the Linux servers already compromised by this issue, and make sure you’re following proper cybersecurity practices in your day-to-day life.