Cat is bagless - there’s a new version of #BPFDoor https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game

gossithedog@cyberplace.social

Cat is bagless - there’s a new version of #BPFDoor https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game

I’ve found it on orgs in Taiwan and Hong Kong so far.

gossithedog@cyberplace.social

Previously on #BPFDoor https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896

gossithedog@cyberplace.social

Still zero detections on Virustotal (and real world AV and EDR) 🥳

Vendors should aim to have robust detection for this, as it's a real world nation state implant used in a global surveillance operation used for SIGINT for about a decade (including inside and against the US).. which still nobody can be arsed to investigate.

gossithedog@cyberplace.social

VirusTotal behaviour search for latest BPFDoor variant (which has been around since last year but nobody noticed again):

(attack_technique:T1027.005 attack_technique:T1027 behaviour_files:/var/run segment:.eh_frame_hdr) NOT attack_technique:T1543.002

gossithedog@cyberplace.social

Trend Micro have spotted more new versions of BPFDoor, great work by them here.

If you run Linux infrastructure and your org has customers in Asia, particularly minority groups of interest to China, I’d suggest investigating.

Also other anti malware vendors need to look at their detection as again it’s basically zero detections except for Trend now.

BPFDoors Hidden Controller Used Against Asia, Middle East Targets

A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.

Trend Micro (www.trendmicro.com)

gossithedog@cyberplace.social

Multiple Korean telcos are dealing with BPFDoor incidents

Linux anti malware and EDR performance for BPFDoor detection is still shockingly poor. Orgs in Asia or with customers of interest to China (eg Uyghurs) should hunt forward for this. There’s other hints in the thread.

Investigation into SK Telecom data breach expands to KT, LG Uplus: sources - The Korea Times

A joint government-private investigation team looking into SK Telecom's recent large-scale data breach has extended its probe to the servers of two...

(www.koreatimes.co.kr)

gossithedog@cyberplace.social

Really good research from Rapid7 here, where they’ve found multiple new versions of BPFdoor which do things like listen and backdoor on extremely uncommon 4G and 5G signaling protocols - it strongly suggests BPFDoor has been placed far inside telcos for surveillance.

They provide a tool to check for the new implant - I would strongly suggest telcos look for this on their Linux systems, including call infrastructure.

BPFdoor in Telecom Networks: Sleeper Cells in the backbone

A months-long investigation by Rapid7 Labs has uncovered evidence of an advanced China-nexus threat actor placing stealthy digital sleeper cells in telecommunications networks, in order to carry out high-level espionage – including against government networks. Read more in a new blog.

Rapid7 (www.rapid7.com)

gossithedog@cyberplace.social

I don’t know if the US has any effective telco regulation available btw but I’d strongly suggest US telcos are required to investigate and report back findings on this. When I did the OG research on this back in 2021 I found them inside in a US telco and US postal services.

futuristicrobert@infosec.exchange

@GossiTheDog just assume we don't. That's the safest bet.