The malware hunts for older Linux kernels, together with variations 2.6.18, 2.6.18-164, 2.6.31, and a couple of.6.37. This would come with roughly as much as 3% of internet-facing Linux servers, Flare estimates.
Nevertheless it could possibly be as a lot as 10% in what Flare calls long-tail environments like legacy internet hosting suppliers, deserted VPS photos, outdated home equipment, industrial/OT gear, or area of interest embedded deployments.
The kernel exploit stock consists of 16 completely different CVEs, 5 relationship again to 2009 and three to 2010. Judging by the elements of the malware, the operator doubtless understands kernel model fingerprinting, privilege escalation chaining, and mass exploitation workflows, even when they aren’t growing novel exploits, the report says.
