Linux XorDdos Trojan Use on the Rise
Researchers at Microsoft have noted a “254% increase in activity from a Linux trojan called XorDdos” over the past six months. XorDdos was first detected in 2014; it targets Linux endpoints and servers. In a blog post, the Microsoft 365 Defender Research team writes, “XorDdos uses evasion and persistence mechanisms that allow its operations to remain robust and stealthy. Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.”
As endpoint detection and response (EDR) improves on Windows systems, we see a shift to Linux systems where EDR may not be running or is not detecting as well. We will see more focus on Linux now, with multiple solutions for detection. As usual, you can’t just set it and forget it. Detection engineering will be required to ensure the correct data/log sources, telemetry, tuned alerts, and people trained to respond.
As a CSO, or someone responsible for security in your organisation, do not be lured into a false sense of security if you think "This does not impact me as we don’t have Linux desktops." Remember many devices have Linux embedded in them so you need to ensure they are part of your vulnerability management program.
XorDdos uses brute-force SSH attacks to get onto systems. At a minimum make sure that you're not allowing password access for Internet facing Linux servers. Even better, don't allow password authentication mechanisms, ideally disallowing root login over the network. Endpoint protection systems are able to detect and thwart this malware; the question is have you installed one on your Linux servers? If you have, make sure that the coverage is equivalent to other endpoint protection services deployed in your environment, to include centralized reporting and management. Many solutions are now cross platform.