Hackers hijack Linux devices using PRoot isolated filesystems

[Corrine]

Via Bleeping Computer at Hackers hijack Linux devices using PRoot isolated filesystems:

 

Hackers are abusing the open-source Linux PRoot utility in BYOF (Bring Your Own Filesystem) attacks to provide a consistent repository of malicious tools that work on many Linux distributions.

A Bring Your Own Filesystem attack is when threat actors create a malicious filesystem on their own devices that contain a standard set of tools used to conduct attacks. 

This file system is then downloaded and mounted on compromised machines, providing a preconfigured toolkit that can be used to compromise a Linux system further.

"First, threat actors build a malicious filesystem which will be deployed. This malicious filesystem includes everything that the operation needs to succeed," explains a new report by Sysdig.

"Doing this preparation at this early stage allows all of the tools to be downloaded, configured, or installed on the attacker's own system far from the prying eyes of detection tools."

Sysdig says the attacks typically lead to cryptocurrency mining, although more harmful scenarios are possible.

The researchers also warn about how easy this novel technique could make scaling malicious operations against Linux endpoints of all kinds.

More info at the referenced article.

[V.T. Eric Layton]

Interesting, but a bit beyond my pay grade. I don't quite understand how this hack is done. The article doesn't give details, obviously.

[V.T. Eric Layton]

OK, after a little reading here and there online, I found that PRoot is nothing new. The application has been around for years. From everything I'm seeing, it can allow one to use PRoot to access an existing system where the root password has been forgotten or never previously known. Once in the Proot environment, a user can change the root password of the existing system. After rebooting, this would allow root access on the system. NOTE, though: PHYSICAL access to the machine is necessary to perform this "hack".

 

I'm not sure how this "threat" above would be done on a remote system. For instance, in my case... a hacker would have to know my IP address (which changes with every new boot). They would then have to get past my router's firewall, and beyond that, my system firewall (IP Tables). Those would NOT be easy things to do, I don't believe. It would be much more difficult with a VPN, also.

 

So, not being an expert in Linux, I'm not totally sure what's going on here. Maybe @securitybreach would be able to explain it better?

[raymac46]

Would this hack be of more interest in compromising server systems than desktop systems? It seems to me that if an attacker already has physical access to your machine you have more problems than Proot execution. Another example of all the hoops you have to go thru to hack a Linux system versus running some malware code in Windows. 

[V.T. Eric Layton]

1 hour ago, raymac46 said:

It seems to me that if an attacker already has physical access to your machine you have more problems than Proot execution.

 

True. I can access all unencrypted files on any system with the Porteus that I keep on a thumb drive on my wallet chain.

[securitybreach]

If it is physical access, then it is a non-issue as there are lots of ways of getting into a unencrypted system with physical access. That and its an issue with Proot which is not installed on most distros by default as they use chroot instead. On to read more about it.

[securitybreach]

Plus, from the article:

 

PRoot is an open-source utility that combines the 'chroot', 'mount --bind', and 'binfmt_misc' commands, allowing users to set up an isolated root filesystem within Linux. By default, the PRoot processes are confined within the guest filesystem; however, QEMU emulation can be used to mix host and guest programs execution. Additionally, programs from within the guest filesystem can use the built-in mount/bind mechanism to access files and directories from the host system.

The attacks seen by Sysdig use PRoot to deploy a malicious filesystem on already compromised systems that include network scanning tools like "masscan" and "nmap," the XMRig cryptominer, and their configuration files.

 

 

[securitybreach]

Oddly enough after searching, I seen no other article talking about this story besides bleepingcomputer which simply reposted the one from sysdig. The only other instance was NsaneForums.com and they just reposted the bleepingcomputer article of the sysdig one. I tried to find more stories by searching:

 

linux proot hijack

linux proot

linux hijacked

 

I seen older articles not related to the story but nothing on what sysdig reported. Also, the source linked on the bleepingcomputer website is simply a reshare of what sysdig claimed word for word. 

https://sysdig.com/blog/proot-post-explotation-cryptomining/

 

I find this strange as BleepingComputer is normally a credible site.

[securitybreach]

I hate to say it but it looks like sysdig is simply trying to advertise their product:

 

Quote

Thus, it is instrumental for your company’s security operations to have a runtime detection layer, such as Falco, that can detect this behavior. Ensure you can observe this type of threat to reduce your risk of exploitation, the costs of cryptomining, and attacker persistence on your network.

 

Quoted from the end of article https://sysdig.com/blog/proot-post-explotation-cryptomining/

 

They claim that they discovered threat actors using Proot but give no proof, not even a CVE warning or anything. So this company found a vulnerability but never bothered to report it or anything? There wasn't even anything on Full Disclosure or any of the security lists.

 

The Falco open source container, Kubernetes, and cloud security tool was created by Sysdig and contributed to the CNCF.

 

https://sysdig.com/opensource/falco/

 

[wa4chq]

I bet it's them pesky MS drones...

[V.T. Eric Layton]

So, basically... Fear, uncertainty and doubt (often shortened to FUD) is a propaganda tactic used in sales.

 

I suspected this a bit. No fault on @Corrine's part in posting this, though. Always good to be aware of what's going on out there in Cyberland.

 

Thanks, @securitybreach!

[securitybreach]

No problem, glad to help

[crp]

On 12/5/2022 at 2:13 PM, securitybreach said:

I find this strange as BleepingComputer is normally a credible site.

Is BleepingComputer a credible source? No.

Yes. 

No.

well, "trust but verify".

 

I want to to make it clear that I do not think that BleepingComputer acts in bad faith. If I see a headline about getting hacked, I read it to see what details are disclosed.

Stories about non-security issues seem to be very much on the ball.

But stories about "discovered" threat vectors - they tend to jump first before really looking into it. Which is not a bad thing but one does need to separate the wheat from the chaff. First thing I look for is if physical access is needed. If so, I just ignore it unless there is some computer science aspect to it. Then I do a web search to see if a 3rd party not connected to the BleepingComputer articls can be found. If so, I dig in. Otherwise , i put the aside article. I might come back to it, but usually it gets closed without my reading it.

 

[securitybreach]

Agreed crp