Search the Community

On Friday March 29, Microsoft employee Andres Freund shared that he had found odd symptoms in the xz package on Debian installations. Freund noticed that ssh login was requiring a lot of CPU and decided to investigate leading to the discovery. The vulnerability has received the maximum security ratings with a CVS score of 10 and a Red Hat Product Security critical impact rating. Red Hat assigned the issue CVE-2024-3094 but based on the severity and a previous major bug being named Heartbleed, the community has cheekily named the vulnerability a more vulgar name and inverted the Heartbleed logo. Luckily the vulnerability has been caught early Red Hat wrote: "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library." The malicious injection can be found only in the tarball download package of xz versions 5.6.0 and 5.6.1 libraries. The Git distribution does not include the M4 Macro that triggers the code. The second-stage artifacts are present in the Git repository for the injection during the build time, if the malicious M4 macro is present. Without the merge into the build, the 2nd-stage file is innocuous. You are recommended to check for xz version 5.6.0 or 5.6.1 in the following distributions and downgrade to 5.4.6. If you cannot you should disable public facing SSH servers. More from TechRadar Pro Best managed VPS serversCheck out our top picks for best managed WordPressScalaHosting review View the full article

Understand how to respond to the announcement of the XZ Utils backdoor. The post What You Need to Know About the XZ Utils Backdoor appeared first on Security Boulevard. View the full article

Nvidia's ChatRTX, previously dubbed Chat With RTX, was prone to some severe cybersecurity issues that were only just addressed in a security hotfix. View the full article

Incidents It has been implicated in activity which resembles scanning remote hosts on the internet for security vulnerabilities. Activity of this nature is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We’ve included the original report below for your review. This is a notification of unauthorized uses of systems or networks. We have observed IP addresses from your network probing my servers for TCP open ports. Due to their dubious behavior, they are suspected to be compromised botnet computers. If you regularly collect IP traffic information of your network, you will see the IPs listed connected to various TCP ports of my server at the time logged, and I suspect that they also connected to TCP ports of many other IPs. If a Linux system was at the attacker’s IP, you might want to use the command “netstat -ntp” to list its active network connections. If there is still some suspicious connection, find out what PID/program/user ID they belong to as you might find something to help you solve this problem. In addition to the above, kindly notify the victims (owners of those botnet computers) as this will assist them in taking the appropriate action to clean their computers. Once this action is completed, not only will it prevent severe incidents such as data leakage and DDos but, it will also stand off botnets from taking up your network bandwidth. Solution Step – 1 – Investigate the Process $ netstat -ntp $ ps -p 207082 -o command= $ ls -l /proc/207082/exe Step 2 – Check for Service Units or Cron Jobs The process might be started by a systemd service or a cron job: Systemd service: Check for custom systemd service files in /etc/systemd/system/ or /lib/systemd/system/ and use systemctl to list all services to see if any custom or suspicious service is running. Step 3 – Stop and Disable the Process If the process is managed by a systemd service, disable and stop it: $ sudo systemctl stop servicename.service $ sudo systemctl disable servicename.service If it's a cron job, remove or comment out the line in the crontab. Step 4 – Remove Executable and Clean Up After identifying the executable, consider carefully removing it if it's confirmed to be malicious or not needed: $ sudo rm /path/to/executable Be cautious, as removing system files or legitimate processes can harm your system. 5. Further Security Measures Rootkit Check: Since this process appears suspicious, it’s a good idea to run a tool like rkhunter or chkrootkit to check for rootkits. Malware Scan: Use a Linux-based antivirus tool to scan your system for malware. Audit Logs: Check /var/log/auth.log, /var/log/syslog, or relevant system logs for any unusual activity, especially around the times the process was started. System Updates: Ensure your system and all applications are up-to-date with the latest security patches. Firewall Review: Verify your iptables rules and ensure no unwanted rules are allowing traffic through. Network Monitoring: Monitor outbound and inbound connections for further suspicious activities. CULPRIT#1 I see the process was getting created by daemon user and through crontab file /var/tmp/bash18 file /var/tmp/sh18 file /var/tmp/init18 file /var/bash18 file /var/sh18 file /var/init18 file /var/lock/bash18 file /var/lock/sh18 file /var/lock/init18 Investigation Further -> How this code was added in Crontab? I am wondering how these executable such as bash18, sh18 and init18 is set in user daemon crontab using XAMPP. Any clue? To search through your JavaScript (.js) and PHP (.php) codebase for patterns that might indicate code responsible for adding cron jobs, you can use the grep command in Linux. Basic grep Search This searches all PHP and JS files for the word "crontab": $ grep -r --include=\*.{php,js} "crontab" . Search for Shell Execution Functions Many malicious scripts use PHP's shell execution capabilities (exec, shell_exec, system, passthru, and backticks) to run system commands. $ grep -r --include=\*.php "\(exec\|shell_exec\|system\|passthru\|`\)" . This command will search for any of the mentioned functions in PHP files. Note the use of backslashes to escape certain characters and the use of \| to indicate an "OR" condition. Searching for Suspicious Base64 Encodings Malicious code is often encoded in Base64 to obfuscate its presence. Searching for Base64 encoded strings can sometimes uncover hidden malicious code. $ grep -r --include=\*.{php,js} "base64_decode" . The post DevSecOps: scanning remote hosts on the internet for security vulnerabilities appeared first on DevOpsSchool.com. View the full article

Complying with US government security standards such as FIPS, FedRAMP, and DISA-STIG is essential for federal agencies and any business that deploys systems and services for U.S. government use. However, maintaining a compliant IT ecosystem is a major undertaking, as each regulation brings a host of specialised requirements. And dealing with the never-ending stream of security vulnerabilities that require patching only adds to this task. The operating system is the cornerstone of a successful compliance strategy, since it provides the foundation for cryptography, system hardening, and managing security vulnerabilities. Modern organisations need a reliable operating system that can not only power their workloads, but also enable their security and compliance strategies – and Ubuntu is uniquely positioned to fulfil that role. This article will explore how Ubuntu can support compliance with US federal government regulations, ease the pain of dealing with security vulnerabilities, while also empowering users to take advantage of the best of open source. FIPS 140 FIPS 140 is perhaps the most prevalent IT security and compliance regulation for government use cases – it is a data protection standard which requires that cryptographic modules be validated against exacting and comprehensize security requirements. Ubuntu supports FIPS 140 on Linux with a series of validated components: the Linux Kernel Crypto API, OpenSSL and OpenSSH, libgcrypt, and strongSwan. FIPS validation takes a long time, but security vulnerabilities can emerge at any point, and Canonical endeavours to publish fixes as quickly as possible, irrespective of their certification status. With that in mind, Ubuntu users can choose from two FIPS modes: ‘FIPS-updates’ and ‘strict FIPS’. The former includes ongoing fixes and is the recommended mode for organisations prioritising security, whereas the latter contains certified packages only which remain vulnerable to the latest exploits. To streamline compliance throughout the rest of their IT ecosystems, organisations should ensure that every application they deploy utilises the FIPS-validated core of Ubuntu to take advantage of the certification. Companies should avoid applications that embed unvalidated cryptographic modules, or use Ubuntu libraries in ways that do not conform to their security policies. Applications should either consume high level languages or use the validated cryptography APIs directly. On public clouds, Ubuntu Pro FIPS listings offer out-of-the-box, FIPS-compliant Linux images for Azure, AWS and GCP. DISA-STIG – automated hardening Organisations deploying solutions for the US Department of Defence must comply with DISA-STIG hardening guidelines. Meeting these requirements can be particularly challenging and time-consuming since DISA-STIG contains over 200 rules that must be applied manually. Ubuntu transforms DISA-STIG compliance by enabling an unprecedented level of hardening automation. The Ubuntu Security Guide is a compliance-as-code tool that can automatically fix the overwhelming majority of compliance rule violations, eliminating the need to manually address each issue. Utilising OpenSCAP, Ubuntu users can effortlessly audit their systems and generate a report on compliance status, then use the Ubuntu Security Guide to apply fixes. Pre-hardened DISA-STIG compliant Ubuntu containers are now available directly through Platform One IronBank, enabling a secure supply chain through zero-distance delivery from source to production. Watch the video to learn more about securing open source and Zero Distance FedRAMP – compliance in the cloud FedRAMP is a federal government program that provides a standardised approach to security and risk assessment for cloud services. FedRAMP authorisation is required for any cloud service that holds federal data. Ubuntu is the most widely used Linux operating system across all leading public clouds, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Each of these vendors offers FedRAMP-certified environments, and in these spaces, certification typically applies to any available Ubuntu images as well. Managing security vulnerabilities Keeping systems up-to-date with the latest security patches is one of the most significant IT challenges facing modern businesses, and overcoming this challenge is a central element of the Ubuntu value proposition. Each LTS release of Ubuntu benefits from ten years of security updates with an Ubuntu Pro subscription. Throughout this period, the Ubuntu security team takes in vulnerability reports every day from MITRE, NVD, and other sources to continuously develop and publish fixes as soon as security issues are discovered – often before vulnerabilities are even made public. This security patching covers the open source packages that form the base of Ubuntu Main repository (2,300 packages), as well as over 23,000+ packages in the Ubuntu Universe repository, which include web servers, databases and development tools. Together, they form a single trusted secure repository that covers all the open source software that users require. Ensuring uptime with Kernel Livepatch For production systems it is imperative to apply critical security patches, but disruption by rebooting is also not preferred. Canonical Livepatch provides the ability to deploy security fixes to the Linux kernel without the need for rebooting, allowing you to maintain 5-9s or greater uptime. Livepatch is available with Ubuntu Pro, and is enabled on Ubuntu LTS kernels from 16.04 onwards, as well as Hardware Enablement (HWE) kernels from version 6.2 in Ubuntu 22.04. Livepatch is also compatible with FIPS kernels provided FIPS updates are enabled. Livepatch is available with Ubuntu Pro, and is enabled on Ubuntu LTS kernels from 16.04 onwards, as well as Hardware Enablement (HWE) kernels from version 6.2 in Ubuntu 22.04. Livepatch is also compatible with FIPS kernels provided FIPS updates are enabled. Learn more about Linux security patches: best practices for risk-mitigation and uptime here. Active Directory integration for IAM compliance Linux desktops, including Debian and Ubuntu, have supported Active Directory integration for a long time through SSSD; however, that was limited to authentication and a small subset of related security policies. Canonical has released ADsys, our new Active Directory client, which allows for: • Native Group Policy Object support for both machine and user policies targeting dconf settings on the client machine. • Privilege management, allowing the possibility to grant or revoke superuser privileges for the default local user, and Active Directory users and groups. • Custom scripts execution, giving the possibility to schedule shell scripts to be executed at startup, shutdown, login and logout. • Active Directory Administrative Templates for all supported versions of Ubuntu. • Native user authentication with Azure Active Directory (Azure AD), enabling users on Microsoft 365 (M365) Enterprise plans to authenticate Ubuntu desktops with the same credentials they use for M365 or Azure. ADSys is supported on Ubuntu starting from 20.04.2 LTS, and tested with Windows Server 2019. These features align the Active Directory management experience of Ubuntu as closely as possible to the one available in Windows. US government regulatory compliance Ubuntu and the ecosystem surrounding it drastically simplify the process of keeping systems up-to-date with security vulnerabilities and compliant. The federal regulatory landscape is highly complex, but specialised Ubuntu images provide a variety of certifications out-of-the-box, and the Canonical team is on hand to provide bespoke assistance with any compliance challenge. To learn more, get in touch today. Visit our webpageRead more on this topic in our blogDownload our comprehensive guide on infrastructure hardening View the full article