It has been reported that Lazarus, an advanced persistent threat (APT) group, has expanded its reach with the development and use of a Trojan designed to attack Linux systems. The APT, suspected to hail from North Korea, has previously been connected to global cyberattacks and malware outbreaks including the infamous WannaCry rampage.

When thinking about APTs, there is a tendency amongst the public to focus on the threat and not the attack vector. In the case of Dacls.Linux, the attack vector documented by 360 NetLab appears to be via a vulnerability disclosed in Atlassian Confluence in March 2019. This particular vulnerability allows for remote code execution and importantly enables an attacker to access arbitrary file locations on the server. These capabilities are significant as they allow attackers to both identify and infect any unpatched system. The effective attack sequence then become:
1. Identify systems running Atlassian Confluence and exhibiting clues that the patch to CVE-2019-3396 were not applied;
2. Execute an attack known to exploit CVE-2019-3396;
3. Install the Trojan.
While this sequence relies on a successful exploit of CVE-2019-3396 it also highlights the reality of APTs – the primary attack mode is to gain traction within a system. This means that any organization with an unpatched vulnerability enabling remote code execution could fall victim to a similar attack, but more importantly this risk extends far beyond traditional Linux computers. Linux is commonly used in servers, desktops and in IoT and embedded systems. It is the IoT and significantly the IIoT space which should be particularly concerned with threats like Dacls.Linux as the embedded systems powering IoT devices tend to have long lifespans and not have commercial anti-malware solutions. As a result, all organizations should look to implementing a robust review of all firmware for IoT devices. This review should look for critical items like unpatched vulnerabilities in the libraries used to create the firmware, but also include a detailed accounting for all external APIs and services the firmware communicates with.
The net result for any defender is to recognize that attackers set the rules of engagement. The best defenders can do is understand their weaknesses, a process which starts with a throughout understanding of the applications deployed – regardless of platform, origin, support model or vendor. Only then can detailed threat models be created and informed threat intelligence be applied to a deployment.