[Security Weekly] Newly Discovered Orbit Malware Creates Stealthy Backdoor on Linux Devices

orbit malware thumbnail

July 2022, Issue II


1. Newly discovered Orbit malware creates stealthy backdoor on Linux devices

A new malware dubbed “Orbit” was discovered by researchers at Intezer Labs, capable of creating backdoors and infecting all processes on Linux devices and servers, as well as maintaining persistence and evading detection.

What’s unique about Orbit is its ability to execute commands and utilities, then storing the command outputs on the machine itself by hijacking shared libraries. The name “Orbit” was named after the name of a file the attackers used to store the output. Moreover, it is capable of hooking key functions and manipulating any output that might reveal its existence, preventing its activities from being logged. This allows it to gain persistence on the infected machines and evade detection.

After gaining persistence, the malware provides the attackers with an SSH backdoor to the system, allowing them to gain remote access, steal credentials, and log TTY commands. Since Linux is the most commonly used OS for servers, the malware poses a significant risk to enterprises.

Sources: ZDNet, Threatpost, Bleeping Computer


2. Personal data of one billion Chinese citizens posted for sale online

Early July, an unknown hacker claimed to have stolen the personal data of one billion Chinese citizens from a database belonging to the Shanghai National Police. That is over two-thirds of the Chinese population, making it potentially one of the biggest data breaches ever recorded.

The claim was made by a user named “ChinaDan” on the hacker forum “Breach Forums”. Over 23 TB of data were offered for sale at a price of 10 Bitcoins, or roughly $200,000. Personal information including name, birthplace, national ID number, address, phone number, and criminal history, was said to be included in the dataset.

Although the Shanghai National Police didn’t respond to the claim, and isn’t likely to ever do so, CEO of cryptocurrency exchange Binance, Zhang Changpeng, said that the company’s intelligence detected transactions relating to the sale of the database. He also attributed the cause of the leak to a human error, suggesting that the login credentials to the database were accidentally included in a blog post posted by a government developer on the China Software Developer Network (CSDN).

If the claims and findings were true, this data breach would lead to widespread social engineering attacks and identity theft operations across China, leading to a range of cybersecurity issues.

Sources: The Guardian, Threatpost, TechCrunch


3. CISA: North Korean-sponsored Maui ransomware attacks US healthcare sector

The Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert with FBI and the Treasury, attributing a series of Maui ransomware attacks on US healthcare organizations to North Korean state-sponsored operations.

Unlike most ransomware gangs that operate ransomware-as-a-service (RaaS) platforms, Maui is an operation manually commanded by the attackers, by infecting machines with a Windows executable file “maui.exe”, then encrypting targeted systems using a combination of Advanced Encryption Standard (AES), RSA, and XOR cipher.

Attacks have been identified since May 2021, targeting critical functions in the Healthcare and Public Health (HPH) Sector, including electronic health records, disease diagnostics and imaging, as well as intranet services. The agencies warn that the attackers will likely continue targeting the healthcare industry given their assumption that healthcare providers are more likely to pay ransoms due to their critical functionality.

The agencies do not know how the Maui ransomware gains initial access to the victims’ networks, but advise all healthcare organizations to strengthen their access control with multi-factor authentication (MFA). To learn more about MFA, see iSIGN+.

Sources: CISA


4. Cyberattack at debt collection agency leaks 1.9 million patient records

Colorado-based debt collection agency, Professional Finance Company (PFC), disclosed a cyberattack incident that led to a breach of 1.9 million patient records from 657 healthcare providers across the US, making it the second-largest healthcare data breach of the year after the 2-million-record leak from the Shields Health Care Group in March.

According to the disclosure, PFC detected a cyberattack on February 26, where the attackers gained unauthorized access to certain systems. Follow-up investigations showed that the attackers potentially accessed sensitive patient information that contained names, dates of birth, Social Security Numbers (SSN), health insurance information, contact details, and medical invoices.

PFC began contacting impacted providers on May 5, which include family physicians, dentists, dermatologists, and anesthesiologists. Although unconfirmed, sources at Bleeping Computer suggest that Quantum ransomware was behind the attack. As of today, the firm noted that it has rebuilt its systems and enhanced network security to prevent future incidents.

Sources: SC Media, Infosecurity, Bleeping Computer


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security