BPFDoor: Stealthy Linux malware bypasses firewalls for remote access

Researching Linux VPN, Firewall, and Antivirus Options : linuxquestions

I've recently decided to up my security game on my Linux machine, and I'm interested in what people are using. After a bunch of research, I've settled on ProtonVPN, which is free and has stellar reviews on PCMag. However, I've had some difficulty finding decent anti-virus and firewall options. I'm currently leaning towards BitDefender GravityZone Business, but it's quite pricey. I've considered free alternatives like ClamAV, but I'm looking for something a bit more comprehensive. I'd be curious what other people use before I pull the trigger on buying something. Thanks!

edit: Thanks everyone for the replies! I still have a lot to review based on your replies, but I've concluded that my first step will be getting firewall set up and configured. I will share additional (if any) steps I take with regards to VPN or antimalware / AV as I take them.

Top 10 Linux Firewall Solutions in 2021 | Spiceworks

A Linux firewall is defined as a solution or service that regulates, protects, and blocks network traffic as it passes to and from a Linux-based environment. Given that nearly 75% of the world’s servers run on Linux, these solutions are essential to provide secure access to users and end customers. Let’s understand the basics of a Linux firewall and look at the best products in the market in 2021.

Table of Contents

What Is a Linux Firewall?

A Linux firewall is a solution or service that regulates, protects, and blocks network traffic as it passes to and from a Linux-based environment.

Most Linux distributions, including Debian, Ubuntu, CentOS, etc., ship with pre-built firewall services of their own (much like Microsoft Windows has Windows Defender firewall turned on by default). Therefore, you can have two types of Linux firewall:

1. A command line or GUI utility

Linux firewall utilities sit on top of pre-built firewall services such as Netfilter, UFW, FirewallD, iptables, etc. You could configure these manually or install an additional utility that reveals the service’s full functionalities, simplified configurations and enables point-and-click setup. The pre-built firewall will already impose some default firewall zones, like a trusted zone, a demilitarized zone, or a block zone. The utility lets you configure these zones further, set up custom zones, and enforce more granular policies as per your needs.

2. A standalone Linux firewall solution

These are comprehensive firewall solutions (services and the configuration interface) that exist independent of Netfilter, iptables, etc. They come within a secure, hardened OS that you can install in a shell of your choice – a bare metal appliance, a public cloud environment, or a private, virtualized shell. These solutions usually include network management capabilities like traffic routing or monitoring reports to enable a 360-degree network management landscape.

Both types of Linux firewall solutions can coexist in the same organization. A good rule of thumb is to use the first one for solo deployments, while the latter is more suited to enterprise use cases.

Also Read: What Is a Firewall? Definition, Key Components, and Best Practices

Key Must-Have Features for Linux Firewall Solutions

Some key features to look for in a Linux firewall solution are:

Key Features of Linux Firewall Solutions

Ease of use : Depending on your technical expertise, you need a solution that marries rich functionality with ease of use. Linux’s pre-built firewall solutions are extremely competent, so a big reason for installing an additional firewall is the user experience and convenience it provides. GUI interface, simple command-line controls, and remote web portals are some factors to consider. Developer community : Linux firewall solutions have an open-source bedrock, so a larger community is always helpful. Check for community activity on GitHub, the number of releases in the last few years, and options to avail of (and contribute to) community-led support. Hosting environment : If you opt for the second option, a standalone solution, the hosting environment makes a massive difference. Check for compatibility with your existing public cloud providers, the investment needed if you want a new hardware shell , and implementation support. Range of configurations : The Linux firewall solution must offer the broadest possible range of configurations, such as time-bound security policies, custom network zones, user-specific security configurations, and so on. This will be a determining factor for enterprise purchases more than for standalone use, where the network environment is mainly static. Non-firewall capabilities : As Linux already comes with a robust firewall service of its own, the solution you choose should also include non-firewall network management and security functionalities. VPN, bandwidth optimization, content filtering , network usage logs, and intrusion detection are some add-ons to look for.

Now that you know what a Linux firewall solution is and its top features, let’s explore some of the best offerings in 2021.

Also Read: What Is Content Filtering? Definition, Types, and Best Practices

Top 10 Linux Firewall Solutions in 2021

As mentioned earlier, all Linux distributions ship with prebuilt firewalls, and technically you could do without installing any additional firewall solutions on your Linux system. However, prebuilt firewalls have limited functionality, and it helps to have a utility that sits on top, allowing you to configure and manage the firewall’s filtering rules.

Some Linux firewall solutions are also standalone—meant to reside in their own hardware or virtualized shell, acting as an end-to-end network security appliance. These solutions are meant for small-to-mid-sized businesses, with multiple teams relying on Linux systems for everyday work. Here is an alphabetically arranged list of the top Linux firewall solutions in the market today.

Disclaimer: This list is based on publicly available information and includes vendor websites that sell to mid-to-large enterprises. Readers are advised to conduct their own final research to ensure the best fit for their unique organizational needs.

1. Endian Firewall Community (EFW)

Overview: Endian Firewall Community (EFW) is a turnkey or ready-to-use security solution built on Linux. It requires a hardware shell or virtualized environment to reside and offers protection for Linux-based environments of various sizes. You can also download a free, limited version of EFW as software installed on your existing Linux PC.

Key features: Endian offers the following core capabilities to protect your systems:

Four versions for home users, network security in small offices, Wi-Fi/BYOD, and IIoT Stateful firewall, constantly analyzing data packets in real-time Network performance enhancement with bandwidth optimization, network failover, etc. Additional security measures such as VPN , network gateway antivirus, intrusion prevention, and email security Detailed analytics and historical reports of web usage

USP: EFW is very flexible. It adapts to the needs of home users, large-scale industrial companies, and everything in between. It builds a fully secure enterprise perimeter based on Linux, at par with other commercial Windows-based firewall solutions.

Editorial comments: If you are a small business or startup running Linux, eager to grow fast, Endian is a suitable partner. It works with industry giants like Docker to provide security in diverse scenarios native to a Linux environment.

Pricing: The EFW basic software version is available for free download. You can reach out to the company for custom pricing for its enterprise solutions.

2. Gufw Firewall

Overview: UFW or Uncomplicated Firewall is a prebuilt firewall solution that comes with all Ubuntu distributions of Linux. Gufw is the Graphical User Interface (GUI) enhancement that makes it easier to configure UFW according to your needs. No matter your Linux distribution (Debian, Mint, etc.), you can download Gufw Firewall as a standalone tool.

Key features: Gufw Firewall has the following functionalities:

A refreshingly easy interface with a zero learning curve Simple toggles to turn the firewall on/off, allow/deny incoming and outgoing data traffic , and set your firewall profile A GUI-based rules configuration engine Complete logs of network activity and firewall intervention Customizable firewall profiles for different networks

USP: Despite Linux’s popularity among the developer community, it has a sizable base of non-technical users as well. Gufw Firewall targets this specific user base, ensuring that there is a no-code user interface and a straightforward configuration management system.

Editorial comments: Gufw Firewall is a perfect mix of user-friendliness and configurability. Not only can you allow or block preconfigured services, but you can also specify a port to be monitored via the firewall. Interestingly, Gufw focuses on governing peer-to-peer (P2P) traffic, so you must check out this Linux firewall solution if P2P uploads and downloads are a common use case in your environment.

Pricing: Gufw Firewall is available for free download.

3. IPFire

Overview: IPFire is an open-source security utility for developers using Linux. It acts as a VPN gateway, proxy server, and other network protection mechanisms in addition to being a pretty powerful firewall. IPFire needs to reside in hardware or virtual shells, just like Endian.

Key features: With IPFire, you can expect the following features:

Network segmentation during installation into Green (safe), Red (risk-prone), Blue (wireless), and Orange (demilitarized) areas, each with its own firewall rules An improved GUI, thanks to the recent IPFire 2.15 Core Update 86 version Available in 7 languages apart from English Self-protection, blocking unauthorized modifications to firewall rules Additional capabilities like VPN, intrusion detection , web UI, etc.

USP: IPFire has all the foundational capabilities you could demand from a Linux firewall solution. It has a dedicated community for support, which is a plus given that IPFire is an open-source software solution. It also lists optional add-ons that further extend IPFire, including system health monitoring tools, backup services, etc.

Editorial comments: IPFire is best suited for mid-sized organizations requiring reliable security. The company recommends this Linux firewall solution specifically for the education sector, given its effective web filtering tools. It is a robust, extensible solution that is known for regular updates and an active community – so you will be in good hands.

Pricing: IPFire is available for free download for running on-premise, as well as an AWS-based Linux firewall service.

Also Read: What Is Browser Isolation? Definition, Technology Components, and Vendors

4. Nebero Systems Linux Firewall

Overview: Nebero Systems offers one of the best commercial firewall solutions available for Linux environments. You can choose from five variants – Basic, SOHO, Standard, Premium, and Enterprise – depending on your business needs. Note that these are all paid solutions with unlimited user licenses and free upgrades/support for the first year.

Key features: The following core features are included in Nebero Systems Linux Firewall:

Built on an open-source bedrock with regular community support and updates Unified threat management , gateway antivirus, intrusion prevention, and Wi-Fi security Better network performance via bandwidth management, virtual LAN, real-time monitoring, etc. Additional security for BYOD environment Disaster recovery /business continuity support in all five versions

USP: Nebero Systems Linux Firewall has prebuilt functionalities for the hospitality industry, such as an API to integrate with property management systems (PMS) and customized login pages that you can provision on a white-label basis. In other words, Nebero Systems Linux Firewall acts as the underlying bedrock for your branded network access system.

Editorial comments: If you want a paid solution for your Linux-based firewall needs, Nebero Systems is worth considering. It offers an end-to-end network security solution, including time-based rules for firewall enforcement – ideal for consumer-facing businesses like hospitality. Keep in mind that this Linux firewall solution resides in hardware, virtualized, or cloud environments.

Pricing: The five Nebero Systems Linux Firewall variants are priced at $1055, $1490, $1675, $2325, and $4690, respectively.

5. OPNsense® Business Edition

Overview: OPNsense® is a firewall solution based on the FreeBSD distribution of Linux. It has two versions – free and business. OPNsense® has impressive firewall functionality, as well as handy add-ons to create a secure network environment.

Key features: Some core features of OPNsense® Business Edition are:

Stateful firewall compatible with IPv4 and IPv6 Visibility into blocked and past traffic on a real-time basis Intrusion detection that utilizes state of the art technologies from Proofpoint Web-filtering, two-factor authentication , and SD-WAN configurations Validated and reliable upgrade roadmap as part of the Business Edition

USP: OPNsense® is one of the few Linux firewall solution providers to partner with recognized technology leaders such as Proofpoint, Sunny Valley Networks (the company behind Sensei), Suricata, and ZeroTier – thereby providing an integrated environment.

Editorial comments: Established businesses with mid-sized-to-large Linux environments could gain significantly from OPNsense® Business Edition. It has over 70 plugins for extensibility and over 190 releases so far, ensuring that you have a steady upgrade pathway ahead. Keep in mind that OPNsense® requires a hardware shell.

Pricing: The open-source version is available for free download, although you are encouraged to donate. You can contact OPNsense® for a quotation for its Business Edition.

6. Shorewall

Overview: Shorewall Firewall is an open-source security utility that sits on top of Netfilter, the built-in firewall service that ships with Linux 2.4 and later kernels. It doesn’t need hardware or a virtualized shell, as Shorewall only offers an interface to configure your existing security capabilities. It includes six packages, including the core functionality, packages for IPv4 and IPv6 firewalls, “lite” and full-feature administration, and a package for reacting to events.

Key features: Shorewall has the following core functionalities:

Flexible and powerful configuration tool, ideal for users with technical expertise Can gain from Netfilter’s connections state tracking feature Effective exception handling if incoming connections do not align with existing firewall rules Silent discarding of certain data packets to prevent log clutter No default assumption as to traffic acceptance

USP: Shorewall gives you a configuration option for virtually any scenario without making any assumptions or compromises. If you are operating in a fast-changing network environment, Shorewall can adapt in tandem. It offers significantly greater control than GUI tools like Gufw.

Editorial comments: For those who need a more robust alternative to point-and-click and set-and-forget Linux firewall solutions, Shorewall is an excellent choice. It is relatively easy to use without getting deep into Netfilter’s core programming, and you can set security policies as per your unique requirements.

Pricing: Shorewall is a free software that can be redistributed or modified in line with the GNU public license.

7. Smoothwall Express

Overview: Smoothwall Express is a free, open-source firewall solution for Linux that includes its own hardened OS. You could consider it as an alternative to EFW, as it requires a virtualized shell or hardware environment to reside in. Interestingly, Smoothwall also has a fine-tuned corporate solution for education, public sector, and business use cases.

Key features: With Smoothwall Express, you can expect the following features:

An open-source community of 18,000+ members for regular support Real-time, content-aware web filtering for business use Includes a record manager for safeguarding electronic incidents Powered by a partnership with National Online Safety A sophisticated quality of service (QoS) feature for smooth traffic routing

USP: Despite being a free Linux firewall solution, Smoothwall Express is informed by the same research and innovation that goes into its commercial solution, popularized by resellers worldwide. This ensures that you get reliable functionality and continuous updates for your Linux environment.

Editorial comments: Users across a variety of organizations, as well as in independent usage scenarios, can gain from Smoothwall. It has a handy plug-and-play backup system where you can plug in a configured drive, and the entire system will be automatically archived for later restoration. This is only one example of how Smoothwall constantly upgrades its capabilities over multiple releases since 2000, making it one of the more time-tested Linux firewall solutions out there.

Pricing: Smoothwall Express is entirely free, whereas Smoothwall Corporate has custom pricing based on your requests for quotes.

Also Read: What Is Password Management? Definition, Components and Best Practices

8. Untangle NG Firewall Complete

Overview: This Linux firewall solution includes 20+ discrete security applications, including both free and paid services. You can install any free and paid components as standalone solutions, or you can opt for the complete package at a fixed price. Untangle has pre-bundled solutions for the eligible public sector and non-profit organizations as well.

Key features: Untangle NG Firewall Complete has the following features:

Web filter for regulated access based on content type across 32+ billion URLs Easy to use firewall rules functionality and auto-generated reports Safe browsing experiences through Untangle’s ad blocker IPsec VPN for securing branch offices (interoperable with Cisco, Sophos, and SonicWALL) Fully configurable SSL inspector and user/time-based rights management

USP: Untangle’s biggest USP is its ability to offer a comprehensive security solution for Linux at a competitive price. It addresses nearly every network-related risk, including email, spam, ad-based malware, malicious content, vulnerable data transmissions, virus, and bandwidth overutilization in a single package.

Editorial comments: You can try some of Untangle NG Firewall’s functionalities for free, including the basic firewall, intrusion prevention, ad blocker, web monitor, and open VPN. For those looking to expand their network environments, subscribing to the entire package will also get you network management tools such as WAN balancer, WAN failover, etc.

Pricing: Untangle NG Firewall Complete is competitively priced at $25 per month for all 20+ apps. Keep in mind that you’ll need to invest in hardware or virtual appliances or public cloud (AWS/Microsoft Azure) as the solution’s shell.

9. Vuurmuur

Overview: Like Shorewall and Gufw, Vuurmuur is a firewall configuration utility and manager built on iptables, a pre-built firewall functionality for Linux. It has a GUI interface that allows both simple and complex settings and is available as open-source software. Vuurmuur can also be configured remotely.

Key features: Linux firewall solution’s key features are:

A simple admin interface that can be used without knowledge of iptables Built-in default security policies Compatible with IPv6 connections Real-time log and connection viewing and searchable historical logs Scripts available for integration with other tools

USP: Vuurmuur walks on that fine line between ease of use and robust functionality. It is entirely scriptable but also has a GUI interface for non-technical users. It also offers basic monitoring and logging capabilities for end-to-end network security management.

Editorial comments: Vuurmuur has several important differentiators that make it one of the best Linux firewall solutions. Despite being open-source, it is available in multiple languages such as Russian, Portuguese, Dutch, and German. It also supports all popular Linux distributions, including Debian, Ubuntu, and Gentoo. If you’re looking to get started with network security on Linux and want something slightly more advanced than Gufw, Vuurmuur is an excellent option.

Pricing: Vuurmuur is fully open-source and free for use.

10. VyOS

Overview: VyOS is an open, customizable platform for network security that resides in its own bare metal, virtualized, or cloud shell. It acts as a router plus firewall solution partnering with OEMs, resellers, managed services providers, and training organizations to support you across the end-to-end implementation journey.

Key features: Some of the key functionalities of VyOS include:

Customizable images and open APIs that seamlessly fit into any environment Policy-based routing and support for IPv4/IPv6 Stateful as well as zone-based firewall enforcement Diverse VPN options in partnership with WireGuard Custom health checks and load balancing for superior network performance

USP: Its USP is the sheer variety of deployment options across bare metal, virtualized, and cloud environments. VyOS has pre-built support for bare metal platforms like Dell EMC and Edgecore, virtualized shells like Oracle and VMware, and public cloud environments like AWS, Microsoft Azure, and Google Cloud. This makes implementation much easier for enterprise users.

Editorial comments: Users looking for an open-source solution built for enterprise use would do well to consider VyOS. It bundles router and firewall into one solution, along with support for most hosting environments in use today. This means you spend less time on implementing and more on perfectly tailoring VyOS for your needs.

Pricing: The source code for VyOS is freely available on GitHub. Its enterprise solutions start at $660 per year for unlimited router deployment and go up to $6600 per year for the Mission Critical package that includes 24/7 support.

Also Read: What Is Network Security? Definition, Types, and Best Practices

Let’s quickly glance at the features again:

Solution/Feature Ease of use Developer community Hosting environment Range of configurations Non-firewall capabilities Endian Firewall Community (EFW) ✓ ✓ ✓ ✓ ✓ Gufw Firewall ✓ ✓ ✓ ✓ ✕ IPFire ✓ ✓ ✓ ✓ ✕ Nebero Systems Linux Firewall ✓ ✓ ✓ ✓ ✓ OPNsense® Business Edition ✓ ✓ ✓ ✓ ✓ Shorewall ✓ ✓ ✓ ✓ ✕ Smoothwall Express ✓ ✓ ✓ ✓ ✕ Untangle NG Firewall Complete ✓ ✓ ✓ ✓ ✓ Vuurmuur ✓ ✓ ✓ ✓ ✕ VyOS ✓ ✓ ✓ ✓ ✓

These ten Linux firewall solutions address nearly every use case you might encounter when operating a Linux system either on an independent PC or an enterprise server. The majority of Linux distributions ship with strong firewall mechanisms built into the system. These solutions add another layer of protection while also simplifying administration for network security and performance.

As the rate of web-based cyber attacks grows, solutions like these can help ensure a safe browsing experience for yourself and your users.

Which Linux firewall solution would you recommend to enterprises in 2021? Comment below or let us know on LinkedIn, Twitter, or Facebook. We would love to hear from you!

BPFDoor: Stealthy Linux malware bypasses firewalls for remote access

A recently discovered backdoor malware called BPFdoor has been stealthily targeting Linux and Solaris systems without being noticed for more than five years.

BPFDoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device.

The malware does not need to open ports, it can’t be stopped by firewalls, and can respond to commands from any IP address on the web, making it the ideal tool for corporate espionage and persistent attacks.

Parsing 'magic' packets

BPFDoor is a passive backdoor, meaning that it can listen on one or more ports for incoming packets from one or more hosts, that attackers can use to send commands remotely to the compromised network.

The malware uses a Berkeley Packet Filter (the BPF in the backdoor’s name) sniffer, that works at the network layer interface being able to see all network traffic and send send packets to any destination.

Because of its positioning at such a low level, BPF does not abide by any firewall rules.

It has versions for Linux and Solaris SPARC systems but it could be ported to BSD as well, BleepingComputer learned from Craig Rowland, the founder of Sandfly Security, a company that offers an agentless solution to protect Linux systems.

Security researcher Kevin Beaumont, who published a blog post on BPFDoor, told BleepingComputer that the operators use a “magic” password to control the implant’s actions.

BPFDoor parses only ICMP, UDP, and TCP packets, checking them for a specific data value, and also a password for the latter two types of packets.

What makes BPFDoor stand out is that it can can monitor any port for the magic packet, even if those ports are used by other legitimate services, such as webservers, FTP, or SSH.

If the TCP and UDP packets have the right “magic” data and a correct password, the backdoor springs into action executing a supported command, such as setting up a bind or reverse shell.

source: Sandfly Security

Beaumont told us that ICMP packets don’t need a password, which allowed him to scan the internet for running BPFDoor implants using the ping function.

“The ping function allows you to specify an IP address and port for it to reply on - so I was able to get victim implants to reply to a completely different IP I controlled” - Kevin Beaumont

The researcher was able to find BPFDoor activity on networks of organizations in various geographies, most notably the U.S., South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar.

Surprisingly, he discovered 11 Speedtest servers infected with BPFDoor. The researcher said that it is unclear how these machines were compromised, especially since they run on closed-source software.

Bypassing the local firewall

Rowland notes in a comprehensive technical report on BPFDoor that the malware employs some clever anti-evasion tactics:

Resides in system memory and deploys anti-forensics action (wipes the process environment, albeit unsuccessfully as it leaves it empty)

Loads a Berkeley Packet Filter (BPF) sniffer allowing it to work in front of any locally running firewalls to see packets

Modifies ‘iptables’ rules when receiving a relevant packet to allow attacker communication through the local firewall

Masquerades the binary under a name similar to a common Linux system daemon

Renames and runs itself as /dev/shm/kdmtmpflush

Changes the date of the binary (timestomping) to October 30, 2008, before deleting it

Rowland believes an explanation for timestomping, as an anti-forensics technique in this case, could be that the attacker may try to protect the binary in case its deletion fails.

The researcher says that the purpose of the fake date could be to hide the malware from a search looking for new files on the system.

Changing firewall rules is of particular importance because it allows attackers to communicate with the backdoor via traffic that firewalls can’t flag as suspicious.

Rowland explains that when the infected host receives a special BPFDoor packet, the malware “will spawn a new instance and change the local iptables rules to do a redirect from the requesting host to the shell port.”

“For instance, the implant can redirect all traffic from the attacker using TCP port 443 (encrypted web) to the shell. Externally, the traffic will look like TLS/SSL traffic but in fact the attacker is interacting with a remote root shell on the system” - Craig Rowland, Sandfly Security

To clarify even more, Rowland says that for a local shell, the malware modifies the ‘iptables’ configuration to redirect all traffic coming from the attacker through a legitimate port to a port range defined in the malware.

This way, the attacker can choose a connection over any port because it would be routed to the shell behind the firewall.

source: Craig Rowland, Sandfly Security

Commands and detection

Another technical analysis on BPFDoor from Tristan Pourcelot of threat intelligence and incident response company ExaTrack, notes that the malware comes with several hardcoded names that match command strings inside relevant packets:

justtryit, justrobot, and justforfun to establish a bind shell on ports 42391 through 42491

socket or sockettcp to set up a reverse shell to an IP address present in the packet

Part of BPFDoor's techniques to evade detection is to rename the binary to appear as a normal Linux daemon using the choices below:

/sbin/udevd -d /sbin/mingetty /dev/tty7 /usr/sbin/console-kit-daemon --no-daemon hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event dbus-daemon --system hald-runner pickup -l -t fifo -u avahi-daemon: chroot helper /sbin/auditd -n /usr/lib/systemd/systemd-journald

Pourcelot says that the threat actor updated BPFDoor regularly, improving each release with different names for commands, processes, or files.

For instance, newer variants of the implant switched from using command keywords to MD5 hashes, likely in an attempt to avoid trivial detection.

There are at least 21 versions of BPFDoor currently detected on the Virus Total scanning platform, the earliest ones submitted in August 2018.

While the detection rate for this implant improved, especially after Beaumont, Rowland, and Pourcelot published their findings, the malware went virtually invisible for a long time.

One BPFDoor variant for Solaris from 2019 went undetected until at least this May 7. Today, 28 antivirus engines flag it as malicious.

source: Kevin Beaumont, BleepingComputer

In some cases, the detections are generic and inaccurately flag the above Solaris variant as Linux malware, although it is not a Linux binary.

Tristan Pourcelot says that while BPFDoor does not use novel or complicated techniques it still managed to stay stealthy for an extended period.

This could be explained by the fact that malware monitoring technology is not as common in Linux environments as in Windows. Also, “vendors have significantly less visibility,” Beaumont told BleepingComputer.

Craig Rowland agrees that this is a big problem. Even if there is monitoring in place, people don’t know what to look for or use the wrong approach to find Linux malware.

The researcher told us that some administrators use cryptographic hashes to scan the system for malware or malicious files. This doesn’t work well because the smallest change in the file results in a new hash.

“Plus then EDR [Endpoint Detection and Response] wants to load agents all over and agents break Linux so they are often not a good choice. So people fly naked with Linux often and stuff like this happens” - Craig Rowland, referring particularly to older Linux systems

Rowland says that hunting for BPFDoor is easy, at least for the Linux version he analyzed, since its tactics clearly show that they “are just malicious out of the box.”

source: Craig Rowland, Sandfly Security

The source code for an older version of BPFDoor from 2018 has been found by Florian Roth, the creator of Nextron Systems THOR APT scanner. The code is now publicly available on Pastebin.

Made in China?

The researchers BleepingComputer talked to about BPFDoor did not attribute the malware to any threat actor. But in a yearly report on cyberthreats, researchers from PricewaterhouseCoopers (PwC) note that they found the BPFDoor implant during an incident response engagement.

PwC attributed the intrusion to a China-based actor they track as Red Menshen (formerly Red Dev 18), who has been using BPFDoor on "telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors."

During the investigations, PwC researchers discovered that in the post-exploitation stage of their attacks Red Menshen used custom variants of the Mangzamel backdoor and the Gh0st remote access tool (RAT) along with open-source tools like Mimikatz (to extract credentials) and Metasploit penetration testing suite, for lateral movement on Windows systems.

"We also identified that the threat actor sends commands to BPFDoor victims via Virtual Private Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels" - PwC

The researchers note that Red Menshen's activity is taking place within a nine-hour time interval, between 01:00 and 10:00 UTC, which may align with local working hours.

Leave a Comment

Your email address will not be published. Required fields are marked *