Cybersecurity researchers have uncovered a second, harmful threat, exploiting the Berkeley Packet Filter (BPF) on Linux systems. Tracked as BPFDoor, the malware could potentially be found on thousands of Linux devices, but more importantly, its controller has managed to remain undetected for years. The threat actors were able to perform surveillance and espionage activities on the compromised systems.
BPF is designed to facilitate high-performance packet tracing, as well as network analysis. However, its functionality got expanded even further with eBPF (extended BPF) allowing the sandboxed execution of code within the system's OS kernel. Threat actors have realized how useful such a tool can be for tracing, hooking system calls, debugging, packet capturing and filtering, instrumentation and more.
The BPFDoor, in particular, is capable of establishing backdoor access to the breached machines and allowing the remote execution of code. However. what the cybersecurity experts noted is the ability of the threat to perform its harmful functions without opening new network ports or firewall rules. According to the security researcher Kevin Beaumont who analyzed BPFDoor, the threat can listen and react on existing ports, doesn't open any inbound network ports, doesn't involve an outbound C2 and can rename its own processes in Linux. The cybersecurity researchers who have been tracking BPFDoor for a while state that they have attributed the malware to a Chinese-linked threat actor tracked as Red Menshen.