Linux Defense Evasion Techniques Detected by AhnLab EDR (1)

Generally, organizations such as institutes and companies use various security products to prevent security threats. For endpoint systems alone, there are not only anti-malware solutions but also firewalls, APT defense solutions, and products such as EDR. Even in general user environments without separate organizations responsible for security, most of them have basic security products installed.

As such, threat actors use defense evasion techniques following the initial compromise to bypass the detection of security products. The simplest form is bypassing the signature of anti-malware software to avoid file-based scans, but there are other methods such as deleting the installed security products or bypassing firewalls.

AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s only self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors based on each type, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Users then can conduct comprehensive analysis based on the data to identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.

This post outlines defense evasion strategies used by threat actors targeting Linux systems and how users can utilize AhnLab EDR to detect such attacks.

1. Firewall

A firewall is a security solution that monitors and controls network traffic. It can detect and block suspicious activities within the network using specific security rules. There are largely two types of firewalls: network-based firewalls and host-based firewalls. Network-based firewalls monitor and control the traffic related to external sources from the border of a specific network.

Host-based firewalls are installed separately in each system. Microsoft Defender Firewall, a firewall installed in Windows by default, is one of such examples. Linux-based operating systems also have host-based firewalls. For instance, Ubuntu, one of the core Linux distributions, supports a firewall named Uncomplicated Firewall (UFW), and Fedora Linux-type operating systems such as Red Hat and CentOS support firewalld. There is also Iptables, a default firewall of Linux provided by default.

As seen from such examples, threat actors or malware may launch attacks to bypass the firewall after the initial compromise because host-based firewalls are supported for basic operating system environments to detect and block suspicious network traffic. For example, ransomware and APT threat actors who abuse remote desktops to control the infected systems manipulate firewall settings to activate the remote desktop protocol (RDP) service. [1] [2] [3]

The same applies for Linux. As you can see below, Kinsing CoinMiner deactivates the firewall of the target if it is using the Ubuntu environment and removes the Iptables rules.

Figure 1. Kinsing’s routine of deactivating the firewall

When events that deactivate firewalls occur, AhnLab EDR detects them as threats (see Figure 2) so that the administrators can discover the causes and respond appropriately.

Figure 2. Detection logs when events that deactivate firewalls occur

2. Linux Security Module

Linux Security Module (LSM) is a kernel module that implements the mandatory access control (MAC) policy. It allows the management of permissions of users or processes to access the resources such as files, giving administrators the ability to configure the application permissions and protect the systems. Among the Linux distributions, Ubuntu supports an LSM named AppArmor and Fedora Linux-type OS such as Red Hat and CentOS support SELinux.

Among the malware strains, there are those like Kinsing equipped with the feature to deactivate LSMs. Kinsing can deactivate SELinux and AppArmor and also disable security policies that interfere with its malicious behaviors.

Figure 3. Kinsing’s LSM deactivation routine

When a command that deactivates the Linux kernel security module is executed, AhnLab EDR detects the event as a threat and helps administrators recognize it in advance.

Figure 4. Detection logs when a Linux kernel security module deactivation event occurs

3. Rootkit

Rootkits are malware strains that possess the capability to conceal themselves or other malware types. They primarily target files, processes, and network communications for their concealment. Kernel mode rootkits are often used not only in Windows but also in Linux environments. Reptile rootkit which provides the reverse shell feature [4] and Diamorphine rootkit are some of the prime examples of this kind. [5]

Diamorphine provides features such as cloaking processes, files, and directories, granting permissions, and self-cloaking. It is being used in many attacks because it has supported not just the older versions but also the latest versions of the Linux kernel for a long time. Watchdog, a group that targets vulnerable cloud environments and installs CoinMiner, is one of the threat actors who use a combination of a user-mode rootkit and Diamorphine in its attacks. [6]

Figure 5. Watchdog group’s Diamorphine

AhnLab EDR detects as key behaviors the events of loading suspicious Linux kernel modules, and if events of installing known rootkits occur, it detects them as threats to help administrators become aware of them in advance.

Figure 6. Detection logs when Diamorphine rootkit’s installation events occur

4. Conclusion

Threat actors are utilizing defense evasion strategies to bypass security products that detect malware and suspicious behaviors. Notably, they deactivate firewalls that control the network traffic by default or security modules applied with access control policies by administrators for security. Attackers may also utilize rootkits to cloak the malware.

AhnLab EDR detects tools used in the defense evasion stage as threats and key behaviors, allowing administrators to become aware of these in advance. Based on AhnLab EDR, administrators can identify the cause and respond appropriately. Even after being exposed to an attack, they can also review the data from the affected system needed to investigate the infiltration incident as evidentiary data on the threat actor.

Behavior Detection
– DefenseEvasion/EDR.Scripting.M10885
– DefenseEvasion/EDR.Firewall.M11609
– SystemManipulation/MDP.Disable.M11581
– DefenseEvasion/EDR.Event.M10888
– DefenseEvasion/EDR.Event.M10889
– DefenseEvasion/MDP.Diamorphine.M11627
– DefenseEvasion/DETECT.Rootkit.M11732

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

The post Linux Defense Evasion Techniques Detected by AhnLab EDR (1) appeared first on ASEC BLOG.

Article Link: Linux Defense Evasion Techniques Detected by AhnLab EDR (1) - ASEC BLOG