FBI NSA warns that Russian government hacker group 'Fancy Bear' threatens national security with undiscovered Linux malware tool 'Drovorub'



The US Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) are using the malware ' Drovorub ' for Linux, which is an unknown cyber spy group '

Fancy Bear ' supported by the Russian government, to protect sensitive networks We jointly announced that we are doing hacking such as infiltration and stealing confidential information.

Russian GRU 85th GTsSSDeploys PreviouslyUndisclosed Drovorub Malware
(PDF file) https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF



NSA and FBI warn that new Linux malware threatens national security | Ars Technica
https://arstechnica.com/information-technology/2020/08/nsa-and-fbi-warn-that-new-linux-malware-threatens-national-security/

Fancy Bear is a hacking group that reports directly to the General Information Office (GRU) of the Russian Federation Military Staff, which is a Russian military intelligence agency, and is also called 'APT28' 'Sofacy Group' 'STRONTIUM'. Fancy Bears have been enthusiastic since mid-2014 and were found to have attacked journalists who wrote articles criticizing President Putin, and that Russia was doping throughout the country in 2016. Crimes such as hacking the World Anti-Doping Organization and disabling rocket guns and missiles by mounting malware on the Ukrainian Army have been confirmed. In addition, it is said that fancy bears are also involved in the alleged Russian interference in the 2016 US presidential election, the so-called ' Russian gate .'

``Russia Gate'', which was involved in Russia in the US presidential election, has 126 million Facebook posts on Facebook, 131,000 reach tweets, and more than 1000 videos on YouTube-GIGAZINE



According to the FBI and NSA, 'Drovorub' is a toolkit consisting of implants that communicate with C2 servers managed by Fancy Bear, rootkits for kernel modules, file transfer and port transfer tools, and C2 server build tools. Drovorub's malware runs with root privileges, giving the malware operator complete control over the target system. Drovorub has not been known so far, and recent research has revealed its existence.



The FBI and NSA rate Drovorub as 'a malware toolkit that can threaten national security.' To prevent damage from Drovorub, system administrators should install all security updates, update the Linux kernel to version 3.7 or later, and only load modules with valid digital signatures. The system should be configured. Network administrators also point out that intrusion detection systems such as YARA and Snort can catch and stop suspicious network traffic and flag Drovorub-related files and processes.

According to security researcher Dmitri Alperovich, who has been tracking fancy bears for many years, the name ``Drovorub'' means ``lumberjack,'' and at the same time, the Russian word for kernel driver. It is also known to Drova.



Related Posts:

in Security, Posted by log1i_yk