A Linux Backdoor Makes a Comeback

Over the last month, many of us have been enjoying the warm weather and taking time out for some R&R with friends and family. However, as we’re all too aware, threat actors continue their operations 24/7/365, and they’ve certainly been busy. One resurfacing threat, RotaJakiro, is a botnet targeting Linux machines, and has landed in Trusted Internet’s Top Five Detection List…

Coming in at Number Five: RotaJakiro A Linux Backdoor Makes a Comeback

While it’s been playing something of a game of hide-and-seek since 2018, a Linux malware dubbed RotaJakiro is making its presence known again. The malware changes its use of encryption to fly under the radar. There are 12 functions, including exfiltrating and stealing data, file and plugin management (including query/download/delete), and reporting device information. 

When we consider what devices RotaJakiro is currently targeting, things get interesting.

Headless Content Management Systems (CMSs) and Internet of Things (IoT) Devices in the Line of Fire. Our recent conversations with clients have focused on new RotaJakiro activity we're detecting targeting headless content management systems (CMS) and Internet of Things (IoT) devices.

First, let’s clarify what I mean by “headless.” Essentially, it means there’s no keyboard or monitor – just the computer – typically an IoT device like an embedded Windows or Linux operating system in a camera system, network video recorder, or thermostat.

Being headless, these devices aren’t set up for automated updates unless the owner agrees to a risk-based statement within the end-user license agreements. As such, many represent low-hanging fruit for attackers. You may have heard back in May that researchers were warning users of Strapi, a popular headless CMS, to update their installations as soon as possible to fix two vulnerabilities that could lead to compromised administrative accounts.

In the last month, we’ve seen a significant uptick in threat activity explicitly targeting headless IoT devices within our clients’ systems. I believe attackers use RotaJakiro to find and exploit IoT, industrial control, or other headless systems running on embedded Linux.