A fake PoC about a Linux kernel vulnerability on GitHub exposed researchers to malware.
A backdoor with a “sly” persistence method has been found in a proof-of-concept (PoC) on GitHub, indicating ongoing targeting of cybersecurity researchers by malicious actors.
Fake PoC for a Linux Kernel vulnerability
The malicious repository masquerading as a proof-of-concept (PoC) for the recently disclosed high-severity flaw CVE-2023-35829 in the Linux kernel was eventually removed.
However, it had already been forked 25 times before its removal. The same account, ChriSanders22, also shared another PoC for CVE-2023-20871, a privilege escalation bug in VMware Fusion, which received two downloads.
Uptycs researchers recently exposed a deactivated GitHub user who replicated authentic PoCs for well-known vulnerabilities, but added concealed Linux-built infostealing malware to them. At the time of detection, the first fraudulent PoC had already been forked 25 times, while the second copy had received 20 forks.
The backdoor has a wide range of capabilities to steal sensitive data from compromised hosts as well as allow a threat actor to gain remote access by adding their SSH key to the .ssh/authorized_keys file.
Nearly a month later, VulnCheck identified several counterfeit GitHub accounts posing as security researchers, aiming to distribute malware through fabricated PoC exploits for popular software including Discord, Google Chrome, Microsoft Exchange Server, Signal, and WhatsApp.
Mitigation
Here are the recommended actions for users who have downloaded and executed the PoCs:
- Revoke the authorization of SSH keys.
- Remove the kworker file.
- Delete the kworker path from the bashrc file.
- Check /tmp/.iCE-unix.pid for any potential threats.
Leave A Comment