AlmaLinux 8.5 Now Available For PowerPC Hardware

Both PowerPC and IBM Power Systems hardware can now enjoy that fresh feeling brought about by the drop-in CentOS replacement, AlmaLinux. This support for 64-bit PowerPC architecture includes the release of binary and source RPMs, container images, and cloud images. According to Jack Aboutboul, community manager for AlmaLinux, "We're looking beyond just the base operating system, in providing containers and cloud images as well, since those are of extreme importance and utility to our users." Aboutboul continues, "We're currently working to deliver support for S/390 as well for eventual full parity with RHEL. The community shouldn't settle for anything less."

This is a fully stable release (as the beta was made available back in January), and there are currently three different versions available:

• AlmaLinux-8.5-ppc64le-boot.iso – a single network installation CD image that downloads packages over the Internet
• AlmaLinux-8.5-ppc64le-minimal.iso – a minimal self-containing DVD image that makes possible offline installation
• AlmaLinux-8.5-ppc64le-dvd.iso – a full installation DVD image containing almost all AlmaLinux packages

To download the version you want, open a terminal window and issue the command wget https://repo.almalinux.org/almalinux/8.5/isos/ppc64le/VERSION where VERSION is the name of your desired release from the list above (or download the versions directly from https://repo.almalinux.org/almalinux/8.5/isos/ppc64le/).

Find out more about this new AlmaLinux release in the release notes (https://wiki.almalinux.org/release-notes/8.5-ppc.html#providing-feedback-and-getting-help).

A Decades-Old Linux Backdoor Has Been Discovered

Back in 2013, during a forensic investigation, the Advanced Cyber Security Research team from Pangu Lab discovered a rather elusive piece of malware. Between 2016 and 2017, the hacker collective, The Shadow Brokers (TSB), leaked a large amount of data that was allegedly stolen from the Equation Group (with links to the NSA) that contained a number of hacking tools and exploits. Around the same time, TSB leaked another data dump that contained a list of servers that had been hacked by the Equation Group.

According to the Advanced Cyber Security Research team, Bvp47 was used to target the telecom, military, higher-education, economic, and science sectors and hit more than 287 organizations in 47 countries. These attacks lasted over a decade as the malicious code was created so that the hackers could retain long-term control over an infected device. And because the attack used zero-day vulnerabilities, there was no defense against it.

The Pengu Lab operation was code-named "Operation Telescreen" and the end result of the operation discovered that this backdoor requires a check code bound to the host in order to function normally. They also determined Bvp47 to be a top-tier advanced persistent threat (APT) backdoor.

As far as whether or not Bvp47 is still in use today, there is no indication that is the case. But given the nature of the exploit, it wouldn't come as a shock to any research lab to discover those leaked tools had been used to cobble together even more dangerous malware.

Read the Pangu Lab report (https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/) to find out more.

Linux in the Cloud Being Targeted by Ransomware

VMware has made a report available that not only indicates a dramatic rise in Linux host images being targeted in the cloud but that 89 percent of cryptojacking attacks use XMRig-related libraries and more than 50 percent of Cobalt Strike (https://www.cobaltstrike.com/, a commercial adversary simulation software) users may be cybercriminals (or are using Cobalt Strike with malicious intent).

In this report, Giovanni Vigna, senior director of threat intelligence at VMware, said, "Cybercriminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible." Vigna added, "Rather than infecting an endpoint and then navigating to a higher value target, cybercriminals have discovered that compromising a single server can deliver the massive payoff and access they're looking for."

Because Linux deployments have skyrocketed (between containers and virtual machines), these types of attacks are only going to increase exponentially. The report also points out that with the continued rise of cloud dependency, these breaches within organizations can have devastating results. This is especially so since (according to the report) these attacks are often "combined with data exfiltration, implementing a double-extortion scheme that improves the odds of success."

Make sure to download and read the full VMware report, "Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments" (https://www.vmware.com/resources/security/exposing-malware-in-multi-cloud.html).