On October 3, Aqua Nautilus researchers published a blog post revealing what they know about a specific Linux malware called “Perfctl” that has been targeting Linux servers over the past three to four years using “over 20,000 types misconfigurations” as attack vectors to start exploiting. Once operational, the malware used the rootkit to hide itself and inevitably began stealing CPU resources to mine cryptocurrencies. It hid mining traffic and potential instructions for backdoor commands and surveillance via Tor-encrypted traffic.
This Perfctl malware poses quite a serious and persistent threat considering how long it has remained in the wild. A sneaky cryptocurrency miner would be bad enough, but Perfctl can also gain greater backdoor access to the entire system via specific vectors, which could pose an even bigger security problem. It is also difficult to properly detect compromised processes when diagnosing affected servers. It can completely hide its cryptocurrency mining activity from you by discarding CPU utilization numbers that ignore its activity.
Fortunately, there are countermeasures that server operators can implement to mitigate the threat posed by Perfctl.
Aqua Nautilus Perfctl recommended malware mitigation measures
- Patching all potential vulnerabilities, especially vulnerabilities for applications such as RocketMQ servers and the Polkit vulnerability. It is recommended to update libraries.
- Restrict file execution by setting “noexec” in /tmp, /dev/svm and “other writable directories” that are used to execute this malware.
- Disable optional and unused services, especially “those that may expose your system to external attacks, such as HTTP services.”
- Implement strict permission management by limiting root access to critical files and directories, and using role-based access control (RBAC) to restrict access and modify access of users and processes.
- Segment the network by isolating critical servers from the Internet or using firewalls to block outbound communications, “especially Tor traffic or connections to cryptocurrency mining pools.”
- Finally, implement runtime protection with “advanced antimalware and behavior detection tools that can detect rootkits, cryptocurrency miners, and fileless malware such as Perfctl.”
We hope that server operators will be able to avoid this exploit or fix it where it occurs, now that the exploit and countermeasures are so well documented. For more detailed information on how the attacks occur and what Aqua Nautilus learned from honeying and sanding them, consider reading the full multi-page blog post documenting the issue at AquaSec.
Otherwise, if you are not a Linux server operator, hope that your data is not on any of the Linux servers already compromised by this issue, and make sure you are following proper cybersecurity practices in your daily life.
