{"id":7911,"date":"2024-10-06T01:04:00","date_gmt":"2024-10-06T05:04:00","guid":{"rendered":"https:\/\/www.both.org\/?p=7911"},"modified":"2024-10-05T09:05:05","modified_gmt":"2024-10-05T13:05:05","slug":"perfctl-malware-infects-thousands-of-linux-hosts-since-2021","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=7911","title":{"rendered":"Perfctl malware infects thousands of Linux hosts since 2021"},"content":{"rendered":"<div class=\"pld-like-dislike-wrap pld-template-1\">\r\n    <div class=\"pld-like-wrap  pld-common-wrap\">\r\n    <a href=\"javascript:void(0)\" class=\"pld-like-trigger pld-like-dislike-trigger  \" title=\"\" data-post-id=\"7911\" data-trigger-type=\"like\" data-restriction=\"cookie\" data-already-liked=\"0\">\r\n                        <i class=\"fas fa-thumbs-up\"><\/i>\r\n                <\/a>\r\n    <span class=\"pld-like-count-wrap pld-count-wrap\">    <\/span>\r\n<\/div><\/div>\n<p>ArsTechnica has an article about the <a href=\"https:\/\/arstechnica.com\/security\/2024\/10\/persistent-stealthy-linux-malware-has-infected-thousands-since-2021\" data-type=\"link\" data-id=\"https:\/\/arstechnica.com\/security\/2024\/10\/persistent-stealthy-linux-malware-has-infected-thousands-since-2021\" target=\"_blank\" rel=\"noreferrer noopener\">thousands of Linux systems infected<\/a> by this well-designed malware that&#8217;s been dubbed Perfectl. The vulnerability, identified as <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-33246\" data-type=\"link\" data-id=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2023-33246\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2023-33246<\/a>, is in Apache RocketMQ versions 5.1.0 and below.  Another reference in the ArsTechnica article to <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2021-4043\" data-type=\"link\" data-id=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2021-4043\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2021-4043<\/a>, affects <a href=\"https:\/\/gpac.io\/\" data-type=\"link\" data-id=\"https:\/\/gpac.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">gpac<\/a>, a multimedia framework.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/arstechnica.com\/security\/2024\/10\/persistent-stealthy-linux-malware-has-infected-thousands-since-2021\" data-type=\"link\" data-id=\"https:\/\/arstechnica.com\/security\/2024\/10\/persistent-stealthy-linux-malware-has-infected-thousands-since-2021\" target=\"_blank\" rel=\"noreferrer noopener\">ArsTechnica article<\/a> contains significant details about the malware, how it infects servers, and how it protects itself. An article in Aqua claims that this malware <a href=\"https:\/\/www.aquasec.com\/blog\/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers\/\" data-type=\"link\" data-id=\"https:\/\/www.aquasec.com\/blog\/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers\/\" target=\"_blank\" rel=\"noreferrer noopener\">targets millions of Linux servers<\/a>. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The bad news<\/h2>\n\n\n\n<p>Although there are only two vulnerabilities known to be currently exploited as seen in the listed CVEs, the methods used by this Perfectl malware can be used against thousands of vulnerabilities. Perfectl is designed to locate any of up to 20,000 vulnerabilities, most of which are common software misconfigurations and unpatched software. This opens up a pool of millions of Linux servers that might be misconfigured or whose software hasn&#8217;t been kept properly updated. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The good news<\/h2>\n\n\n\n<p>So in the three years Perfectl has been trying to infect Linux servers, it&#8217;s only been able to crack into &#8220;thousands,&#8221; not the millions we typically see for Windows infections in a few hours or days. <\/p>\n\n\n\n<p>Hosts that have been kept current with updates and patches are far less likely to be infected. Proper configuration for all server software, especially those with outward facing interfaces such as web sites, are also much less vulnerable. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Be safe<\/h2>\n\n\n\n<p>Keep all your hosts current with updates and upgrades. I know that the <a href=\"https:\/\/en.wikipedia.org\/wiki\/List_of_Dilbert_characters#Pointy-haired_Boss\" data-type=\"link\" data-id=\"https:\/\/en.wikipedia.org\/wiki\/List_of_Dilbert_characters#Pointy-haired_Boss\" target=\"_blank\" rel=\"noreferrer noopener\">Pointy Haired Bosses<\/a> want to maintain the status quo because updates mean changes and possible problems, but the consequences of not performing updates is far worse. And check all your servers, especially those that allow incoming connections from the Internet, to ensure that they are properly configured.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ArsTechnica has an article about the thousands of Linux systems infected by this well-designed malware that&rsquo;s been dubbed Perfectl. The vulnerability, identified as CVE-2023-33246, is in Apache RocketMQ versions 5.1.0 and below. Another reference in the ArsTechnica article to CVE-2021-4043, affects gpac, a multimedia framework. The ArsTechnica article contains significant details about the malware, how [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":6224,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[5,75,89],"tags":[591,592],"class_list":["post-7911","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-security","category-system-administration","tag-malware","tag-perfectl"],"modified_by":"David Both","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/7911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7911"}],"version-history":[{"count":5,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/7911\/revisions"}],"predecessor-version":[{"id":7916,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/7911\/revisions\/7916"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/6224"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}