U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

PoC rootkit Curing evades traditional Linux detection systems

Researchers created a PoC rootkit called Curing that uses Linux’s io_uring feature to evade traditional system call monitoring. Armo researchers have demonstrated a proof-of-concept (PoC) rootkit named Curing that relies on Linux asynchronous I/O mechanism io_uring to bypass traditional system call monitoring. “Curing is a POC of a rootkit that uses io_uring to perform different tasks without using any syscalls, […]

Linux Dirty Frag DirtyDecrypt PinTheft

Researchers created a PoC rootkit called Curing that uses Linux’s io_uring feature to evade traditional system call monitoring.

Armo researchers have demonstrated a proof-of-concept (PoC) rootkit named Curing that relies on Linux asynchronous I/O mechanism io_uring to bypass traditional system call monitoring.

“Curing is a POC of a rootkit that uses io_uring to perform different tasks without using any syscalls, making it invisible to security tools which are only monitoring syscalls. The project was found effective against many of the most popular security tools such as Linux EDRs solutions and container security. tools.” reads the description provided by the researchers on GitHub.”The idea was born at the latest CCC conference #38c3, therefor the name Curing which is a mix of C and io_uring.”

io_uring is a Linux API for asynchronous I/O that uses shared ring buffers between user and kernel space, letting applications perform actions without system calls, making syscall-based security tools ineffective.

The io_uring was introduced in the Linux kernel version 5.1 in March 2019.

“The rootkit demonstrates communication between a C2 server and an infected host to pull commands and execute them without making any system calls relevant to its operations.” reads the report published by the experts. “The main idea was to show that io_uring allows so many important operations that you can write an entire rootkit on top of.”

The researchers explained that at the time of writing, io_uring supports 61 operations, including network and file system tasks. Researchers built a fully functional rootkit that relies entirely on io_uring to demonstrate the real-world risk.

The Curing PoC code for bypassing Falco and Tetragon runtime detection systems is available here.

Researchers speculate that many Linux EDRs are not able to monitor io_uring-based activity. Falco proved blind to such operations, but plans to add LSM hook support. Tetragon could detect io_uring if users manually configure Kprobes or LSM hooks. Microsoft Defender failed to detect various malicious actions like file reads, EICAR drops, and crypto miners, with only basic FIM alerts triggered. SentinelOne confirmed that its agent can detect and neutralize the attacks. Many commercial vendors were either vulnerable or unresponsive, suggesting io_uring rootkits pose a broad risk to current Linux security solutions.

“Today, many security vendors are shifting towards building eBPF-based agents, largely because eBPF is considered “safe” for use in products like EDR and CWPP.” concludes the report. “However, working with eBPF comes with inherent challenges and constraints, particularly due to its verifier, which imposes strict limitations on what code can be safely loaded. This makes the placement of hooks a critical decision.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Curing)