BleepingComputer reports that telecommunications providers have been mainly targeted by a custom BPFDoor malware implant, which has exploited an old security vulnerability in Solaris systems.
BPFDoor, also known as JustForFun, has been developed by threat actor DecisiveArchitect to leverage a three-year-old flaw in Solaris operating system's XScreenSaver component to gain root-level permissions, a report from CrowdStrike revealed. DecisiveArchitect was also observed to have used the LD_PRELOAD environmental variable. However, the report showed that DecisiveArchitect's tactics, techniques, and procedures have been updated to reflect the use of the LD_PRELOAD environmental variable to facilitate Linux system attacks, as well as to allow malware loading within the /sbin/agetty process.
"DecisiveArchitect exhibits a high degree of operational security as part of their tactics to make it more difficult for defenders to identify and investigate their activity through the use of various defense evasion techniques," said CrowdStrike, which also detailed indicators of compromise in its report.