AL2022_85 Hackers takeover Linux devices using PRoot isolated filesystems (5th December 2022) 

Description  

Hackers are utilizing BYOF (Bring Your Own Filesystem) assaults to take advantage of the open-source Linux PRoot utility and offer a consistent repository of harmful tools that are compatible with numerous Linux distributions. 

A BYOF attack occurs when threat actors build a malicious filesystem on their own hardware that includes a common set of attack tools. This file system is then downloaded and mounted on compromised machines, providing a preconfigured toolkit that can be used to compromise a Linux system further. The attacks typically lead to cryptocurrency mining, although more harmful scenarios are possible. 

Summary  

The 'chroot', 'mount - -bind', and 'binfmt misc' commands can all be used along with the open-source utility PRoot to create an isolated root filesystem under Linux. The PRoot processes are typically restricted to the guest filesystem, but QEMU emulation can run both host and guest programs concurrently. Additionally, the built-in mount/bind method can be used by programs in the guest filesystem to access files and directories on the host system. 

Threat actors only need to download the precompiled binary from GitLab and run it against the attacker's downloaded and extracted filesystem to mount PRoot since it is statically compiled and does not need any dependencies. 

In most discovered attacks, the attackers unpacked the filesystem on '/tmp/Proot/' and then activated the XMRig cryptominer. PRoot makes it simple for threat actors to download payloads other than XMRig, potentially doing more serious harm to the compromised system. 

The fact that "mascan" is present on the malicious filesystem suggests that the attackers are taking an aggressive approach and means they intend to hack further systems using the compromised machine. 

These post-exploitation attacks are platform and distribution agnostic due to hackers' abuse of PRoot, which increases their likelihood of success and the stealthiness of the threat actors. 

Furthermore, pre-configured PRoot filesystems let attackers employ a toolkit on a variety of OS configurations without having to translate their malware to the intended architecture or add dependencies and build tools. 

Remediation  

There is no remediation for this vulnerability currently. Some threat research teams may offer tools that can detect the exploitation of this vulnerability. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Hackers takeover Linux devices using PRoot isolated filesystems.pdf

References