2022年12月7日

黑客是使用PRoot BYOF扩大其业务范围Sysdig宣布,他们已经发现,黑客使用PRoot扩大了业务范围。3分钟阅读PRoot使威胁演员旁路系统的工具和环境设置,以避免检测。恶意文件系统,包括所有需要的,是攻击者创建的系统,以避免检测工具。除了加密矿业用例,PRoot可用于恶意软件部署和在促进持久性。Sysdig威胁研究小组警告用户一个新兴威胁。雷竞技 raybet研究小组指出,威胁演员利用PRoot扩大了业务范围到多个Linux发行版。PRoot是一个开源工具为威胁演员提供一个一致的操作环境在不同的Linux发行版。其模拟功能,它还使建筑在其他体系结构上的恶意软件。带上你自己的文件系统post-exploitation技术叫做BYOF,即“把自己的文件系统”。被黑客利用,尤其是当他们没有提前充分了解环境,或缺乏对环境资源来改变他们的工具。 On the other hand, PRoot was created to improve compatibility, to simplify things for administrators. PRoot relies on two elements: PTRACE: An unprivileged syscall usually available in Linux distributions that can monitor, control, and manipulate other processes. QEMU: A tool that can emulate programs built for different architectures through dynamic binary execution; an abbreviation of Quick EMUlation. The attack starts with creating a malicious filesystem to be deployed, including everything that the operation needs to be successful. The preparation in the early stages enables all of the tools to be downloaded, configured, or installed on the attacker’s system. The archives are placed on well-known storage platforms for the attack. When a hacker gains access to a system, the filesystem is downloaded along with PRoot, thus, it doesn’t need any additional external files or libraries. Then the filesystem was unpacked and the attacker runs the proot executable. PRoot offers a threat actor a number of benefits: PRoot easily delivers malicious code by packing it into a filesystem. The attack is more scalable since the commands are more likely to succeed. An attacker can define different attack paths. Installing and executing a miner is only one of the scenarios; it is also possible to set up persistence mechanisms or run other malware (DDoS, crypto locker, etc.). The architecture of the compiled malicious executables is irrelevant. Sysdig said, « Attackers’ post-exploitation techniques and paths are always improving and evolving to evade detection during the setup and execution phases in the victims’ environment. The discovery of PRoot allowing attackers to bypass a target system’s tools and skip the environment setup and execution is a powerful option for defense evasion. Beyond the cryptomining use case, PRoot can be used in malware deployment and in facilitating persistence. It removes attacker’s concerns with targets’ varying architecture types and provides a greater attack scale and success rate. Thus, it is instrumental for your company’s security operations to have a runtime detection layer, such as Falco, that can detect this behavior. Ensure you can observe this type of threat to reduce your risk of exploitation, the costs of cryptomining, and attacker persistence on your network. » Erdem Yasar is a news editor at Cloud7 News. Erdem started his career by writing video game reviews in 2007 for PC World magazine while he was studying computer engineering. In the following years, he focused on software development with various programming languages. After his graduation, he continued to work as an editor for several major tech-related websites and magazines. During the 2010s, Erdem Yasar shifted his focus to cloud computing, hosting, and data centers as they were becoming more popular topics in the tech industry. Erdem Yasar also worked with various industry-leading tech companies as a content creator by writing blog posts and other articles. Prior to his role at Cloud7 News, Erdem was the managing editor of T3 Magazine. Leave a Reply