I'm concerned about the Imperial Project/Aeris exploit

Solution In Progress - Updated -

Environment

Red Hat Enterprise Linux 6 and derivatives
Red Hat Enterprise Linux 5 and derivatives

Issue

I've read recent articles in the media talking about the Imperial Project/Aeris tool.
I'm concerned about malicious software on my Linux systems.
What are the details of the Aeris tool and attacks?

Resolution

Take action

This issue is currently under investigation. A user guide has been released but no code samples or packages used in any attacks are available at this time.

Details of how an attack gains persistence
An attacker must already be resident on a system to conduct the Aeris attack. The attacker would have access to any files or processes that this account would normally have access to. In order to escalate privileges or access normally inaccessible data, other vulnerabilities or attacking tools would have to be used.

It is recommended that systems found with indicators of compromise should follow their organizational practices for Incident Response and react accordingly.

To help prevent attacks like this, Red Hat recommends the use of SELinux to limit exposure to data and processes. SELinux should be run in enforcement mode (setenforce 1). The attack first collects, then seeks to exfiltrate, data via secure channels and encrypted files. A recommended good practice to recognize and stop such behaviour is network traffic baseline, analysis, and anomalous traffic alerting/blocking for any systems holding critical information. Network traffic can be managed and inappropriate access can be stopped using tools like iptables and firewalld.

Other security and configuration options for Red Hat products can be found in the documentation and security guides in the Documentation section of the Customer Portal.

References
WRAL Techwire

Root Cause

Recently published "Vault 7" documents describe a hacking campaign, code-named Imperial, that targets Linux-based systems. The Imperial project uses software called Aeris to run a series of commands to collect data, package and encrypt that data, and then ship that data back to Command-and-Control servers external to the affected system. Aeris itself is a customizable C-based program that is designed to work on multiple POSIX-based systems including Debian, FreeBSD, Solaris, RHEL and derivatives. It uses strong encryption to package and transmit gathered data. Aeris uses Python utilities to conduct its intelligence and defined actions.

Aeris is installed by dropping the binary into a desired directory. Users of the toolkit have been instructed to generate their own file names and paths, which complicates blacklisting and detection. Once deployed, Aeris will periodically report back to a Listening Post (LP) server to deliver its payload. Aeris allows an attacker to combine up to 65,535 unique commands to be processed via a batch-mode to be executed on compromised endpoints.

All communications Aeris uses are over HTTPS (TLS) using custom-issued certificates. All data exfiltrated will be encrypted then signed and transmitted over the mutually-authenticated secure channel to an upstream host (the Collide Automated Implant Command and Control system).

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.