BPFDoor Linux Backdoor

In recent weeks, analysis of a linux backdoor, known as BPFDoor, from multiple researchers has shed light on the inner workings of the backdoor and the significant measures it uses to evade detection. The name BPF in this case refers to Berkeley packet filter, a technology commonly used for analyzing network traffic and filtering data packets to embed into the kernel. At this time, this backdoor appears to be used in targeted attacks.

Researchers at PWC have attributed this backdoor to a group from China, known as Red Menshen and noted that the telecommunications, government, logistics and education sectors have been targeted throughout the Middle East and Asia.

At this time, it’s not known how the attackers are initially breaching organizations to place the backdoor, but researchers have observed the use of CVE-2019-3010, a logic bug affecting Oracle Solaris, to escalate privileges on Solaris hosts in some cases.

The backdoor allows an attacker to execute arbitrary code on a system and works without opening any inbound network ports, making it difficult for responders to detect. In addition, the backdoor uses BPF filtering to watch for traffic in front of any local firewall and will modify the local firewall to allow an attacker IP access once it receives a specially formatted packet. 

In response to this sophisticated threat, Tenable Research has several coverage options available to help our customers identify potential infections: 

• Nessus plugin ID 161476 checks for indicators of compromise. 
• Nessus plugin ID 161761 checks if the remote system responds to requests typically seen by BPFDoor and requires a communication path from the target back to the scanner. Note that this plugin is not compatible with tenable.io and works with on-premise scanners only.
• Plugin IDs 130007 and 130006 provide coverage for CVE-2019-3010.

In addition, using the YARA scanner functionality, customers can utilize the YARA rules noted in the linked blog posts above to scan for infected hosts.

The Tenable Research team will continue to watch for developments on this backdoor and examine additional coverage options for our customers.