This week, we’ll talk about a security vulnerability identified in our Lelastic tool, which is used by our customers to configure IP failover, and a new Linux-based malware that appears to be targeting education systems in the Asia region.
A security vulnerability was identified in lelastic, a tool built by Linode that simplifies the configuration of failover. Failover is the concept of rerouting traffic to a backup system should the primary system become unavailable. Linode Compute instances support failover through our IP Sharing feature.
The vulnerability stems from a built-in gRPC server unintentionally exposed to the public Internet. In versions before v0.0.6, the tool accepted gRPC requests on all network interfaces and addresses via TCP port 50051. An attacker could leverage this vulnerability to manage the bgp configuration on the affected Linode. This vulnerability is not exploitable if your Linode is protected by a firewall and this port is closed. To mitigate this threat, we reached out to our customers that we believe could have been impacted by this vulnerability. We have not observed any cases of active exploitation so far.
To protect your Linode, upgrade the lelastic tool to the latest version, currently v0.0.6. If you are not able to upgrade immediately, you may also restrict public access to port 50051 using Linode Cloud Firewall or a firewall running on your Linode.
If you need further assistance, or if you have any questions, please don’t hesitate to reach out to email@example.com.
A new malware was discovered recently by the security researchers at Akamai Technologies that seems to be targeting Linux servers since March 2022. At its core, it consists of a TCP peer-to-peer class botnet for command-and-control and a sophisticated SSH worm that leverages the known_hosts file for target discovery along with a brute forcing algorithm to penetrate and infect connected systems. Panchan, written in golang, appears to achieve its motive by executing two cryptominers – xmrig and nbhash – in memory-mapped files. The binaries are base64 encoded within the main executable itself, which are then decoded and executed in runtime. This is most likely done to avoid detection, something that Panchan takes a considerable number of steps to ensure; it also terminates the miner processes upon detection of top and htop and mimics legitimate systemd services and binaries.
There are still certain techniques that can be used to detect the presence of Panchan. Administrators can refer to this github repository shared by Akamai that contains a list of IoCs and a script that can be used to detect techniques linked to Panchan. For defending against a threat like Panchan, we recommend adopting a defense-in-depth strategy that leverages technologies like multi factor authentication and redundancy in monitoring.
For an in-depth analysis of the malware, please refer to this report.