Been reading about this malware China is using written for Linux:
https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/
and it struck me: Why mount /tmp and /var/tmp without noexec, nodev, nosuid? Seems crazy to allow a directory anyone can write to, to run executables.
While we're at it, get rid of wget and curl and anything else that would allow them to even get a "dropper" on the system?
Isn't this common sense stuff?!
#infosec #opsec #malware
Tom
npub16w…qxvry
2025-04-21 12:26:31 UTC
Author Public Key
npub16wcm9qez0aa75nrfve2txgv2p3s0642aumpkzashqfu05za0zytqpqxvrySeen on
wss://relay.mostr.pubPublished at
2025-04-21 12:26:31 UTCEvent JSON
{
"id": "8a794178f6f19bf0f8884a7d96f020b6b236fc8852f1f998444f3a3e0ae382fb",
"pubkey": "d3b1b283227f7bea4c696654b3218a0c60fd555de6c36176170278fa0baf1116",
"created_at": 1745238391,
"kind": 1,
"tags": [
[
"t",
"infosec"
],
[
"t",
"opsec"
],
[
"t",
"malware"
],
[
"proxy",
"https://mastodon.bsd.cafe/users/pertho/statuses/114375943196422947",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.mostr.pub"
]
],
"content": "Been reading about this malware China is using written for Linux: \n\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\n\nand it struck me: Why mount /tmp and /var/tmp without noexec, nodev, nosuid? Seems crazy to allow a directory anyone can write to, to run executables.\n\nWhile we're at it, get rid of wget and curl and anything else that would allow them to even get a \"dropper\" on the system? \n\nIsn't this common sense stuff?!\n\n#infosec #opsec #malware",
"sig": "7f6fadeb11fc3867433274b385f54685ecd266bfd06c17ae8799057b0da9901e684739269b2de030c692f9cd65d8d0fc9edf438c5fcda37f659ce9b3b978e353"
}