A wave of cyberattacks has targeted multiple platforms this week, affecting Linux servers, macOS users, and cloud-based payment systems. Security researchers have identified a linux rootkit, a macOS cryptocurrency stealer, and WebSocket skimmers as the primary threats in a series of incidents that began over the weekend.
The attacks come amid a broader pattern of persistent vulnerabilities. One report details how an attacker gained root access to a cloud server by exploiting a known bug that had not been patched for several years. The individual reportedly tripped over the root access inadvertently but then maintained the control for an extended period.
Linux Rootkit Discovered in Cloud Environments
Security firm CrowdStrike reported on Monday that a newly identified Linux rootkit, dubbed BPFDoor, has been found embedded within cloud server infrastructures. The malware allows attackers to execute arbitrary commands with root privileges while evading detection.
The rootkit was discovered after a system administrator noticed unusual network traffic patterns from a server running an outdated kernel. Once installed, the malware creates a backdoor that listens for specific packets, enabling remote code execution. The bug exploited for initial access was a remote code execution vulnerability in the server’s web management interface, which had been publicly disclosed two years prior.
macOS Crypto Stealer Targets Digital Wallets
Researchers at Malwarebytes have identified a new strain of macOS malware designed to steal cryptocurrency wallet keys. The malware, disguised as a legitimate cryptocurrency trading application, uses a technique called keychain dumping to extract credentials.
The stealer is distributed through fake developer accounts on the Mac App Store. Once installed, it prompts the user to input their system password, which is then used to access the macOS Keychain. The malware specifically targets files associated with popular digital wallets such as Exodus, Electrum, and Ledger Live.
WebSocket Skimmers Compromise E-Commerce Sites
A separate investigation by Sucuri revealed that attackers are now using WebSocket connections to deploy credit card skimmers on e-commerce websites. Unlike traditional JavaScript skimmers that inject malicious scripts into webpage forms, these WebSocket skimmers communicate directly with the server to intercept payment data.
The technique bypasses many standard security controls that check for inline script injections. The skimmer is placed on the checkout page and establishes a persistent WebSocket connection to a command and control server. Payment card data is transmitted in real time as the customer submits their order.
Persistent Vulnerabilities Still Plague Enterprise Systems
The attacks highlight a recurring problem in enterprise cybersecurity: the slow patching of known vulnerabilities. In the case of the Linux server rootkit, the exploited bug was a privilege escalation vulnerability patched in early 2021. The server had not been updated for two years, leaving the system wide open to attack.
Similarly, the macOS stealer was able to function because users installed applications without verifying the developer’s identity. Apple had previously removed fake developer accounts from the App Store, but the malware authors created new accounts under different names.
Implications for Cloud Providers and End Users
Cloud service providers are now facing pressure to enforce stricter patching schedules. The recent incidents have led to discussions about automated patch management for infrastructure as a service (IaaS) customers. Some providers may implement mandatory scans for unpatched systems and restrict access for servers that fail compliance checks.
For end users, the key takeaway is the importance of verifying software sources. The macOS crypto stealer was downloaded by hundreds of users before Apple removed the fake application. Security experts recommend using hardware wallets for large cryptocurrency holdings and enabling two-factor authentication for all crypto exchanges.
Authorities have not yet named suspects in any of the attacks. The incidents across all three vectors are still under investigation by federal cybersecurity agencies. Industry analysts expect further disclosures as forensic analysis of the WebSocket skimmer infrastructure continues.
Source: Delimiter Online
