Researchers at Israeli company ARMO have discovered a blind spot in most security services on Linux. This vulnerability allows attackers to carry out malicious activities undetected. ARMO has rolled up its sleeves with the ‘Curing’ rootkit. The company uses a rootkit to show how the Linux io_uring framework can be exploited to bypass detection mechanisms.
This rootkit contains a covert attack method that uses io_uring, a Linux asynchronous I/O framework, to carry out malicious activities without being detected by traditional detection mechanisms.
Blind spot in security solutions
Security tools rely heavily on system calls to detect threats. Anyone who bypasses these calls can fly under the radar of these tools. By exploiting this blind spot, attackers can carry out malicious operations without triggering the typical signals that security solutions rely on. The focus on ‘known bad’ is open to criticism for several reasons, as Global Field CISO Maximilian Heinemeyer of Darktrace recently explained to Techzine.
Linux systems have long been the target of various attack techniques. In early 2024, for example, a botnet called NoaBot was discovered that targeted Linux devices for cryptomining activities. However, this new attack method via io_uring poses a more advanced threat because it is specifically designed to bypass security systems.
eBPF security issue
The discovery of this new attack method is relevant for many Linux agent-based detection solutions. It is particularly significant for eBPF, which has been widely adopted for monitoring and security and is very popular with security parties.
eBPF sits in a gray area between kernel and user mode. It is a powerful technology with many advantages, but vendors should know that searching for system calls does not provide visibility into certain low-level operations performed via io_uring.
By exploiting this shortcoming, attackers can perform various actions, including establishing network connections or accessing and modifying files, without detection by traditional security solutions from major open source projects and commercial security companies.
In September 2024, a vulnerability was also discovered in the Linux CUPS printing system, demonstrating that Linux systems remain vulnerable to new attack vectors and in ever-changing ways.
A wake-up call
“This evasion technique has been available since io_uring was added to the Linux kernel, but until now, no one had developed a fully functional rootkit that demonstrated its true potential,” said Ben Hirschberg, CTO and co-founder at ARMO.
“Leading cybersecurity vendors are still treating Linux as a second-class citizen. This is a huge gap, especially with the widespread cloud-native adoption, which is mostly Linux based. This is a wake-up call for the entire cybersecurity industry that cloud-native security is a discipline in its own right.”
Protective measures
ARMO has released the Curing rootkit to the public to help cybersecurity professionals test whether io_uring is enabled and in use in their environments. This allows organizations to identify potential risks and take action.
ARMO protects against these types of stealthy attacks with ARMO Cloud Application Detection & Response (CADR) and ARMO’s automatic Seccomp Profile management, which allows users to disable unused system calls such as io_uring.