US government warns Linux flaw is now being exploited for ransomware attacks

News
By published

A bug patched over a year ago is now being used for ransomware

Linux penguin logo on wood.
(Image credit: Pixabay)
  • CVE-2024-1086, a Linux kernel flaw, is now exploited in active ransomware campaigns
  • The bug enables local privilege escalation and affects major distros like Ubuntu and Red Hat
  • CISA urges patching or mitigation, warning of significant risk to federal and enterprise systems

The US government is warning that a Linux flaw introduced more than a decade ago - and fixed more than a year ago - is being actively used in ransomware attacks.

In February 2014, a vulnerability was introduced into the Linux kernel via a commit. The bug was first disclosed in late January 2024, and described as a “use-after-free weakness in the netfilter: nf_tables kernel component”. It was fixed later that month, and was given a label CVE-2024-1086. Its severity score is 7.8/10 (high) and can be exploited to achieve local privilege escalation.

A few months after the patch was released, security researchers published proof-of-concept (PoC) exploit code, demonstrating how to achieve local privilege escalation, and reporting that the bug affects most major Linux distros, including Debian, Ubuntu, Fedora, and Red Hat.

Updates to KEV

The US Cybersecurity and Infrastructure Security Agency (CISA), a government agency responsible for protecting the nation’s critical infrastructure from physical and cyber threats, added the bug to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and gave Federal Civilian Executive Branch (FCEB) agencies until June 20, 2024, to patch up or stop using the vulnerable software entirely.

When CISA adds a bug to KEV, it means that it found compelling evidence that the bug is being actively used in the wild.

Now, CISA has updated its KEV entry for the bug, saying that it is now known to be used in ransomware campaigns. Unfortunately, it didn’t say which threat actor was using it, or who its targets were, so far.

In any case, if you haven’t already - make sure to patch your Linux distros, or at least block ‘nf_tables’, restrict access to user namespaces, or load the Linux Kernel Runtime Guard (LKRG) module, since these are known mitigations. While the mitigations might work, they might also destabilize the system, so patching still remains the best advice.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said. "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable."

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.