Perfctl malware infects thousands of Linux hosts since 2021

ArsTechnica has an article about the thousands of Linux systems infected by this well-designed malware that’s been dubbed Perfectl. The vulnerability, identified as CVE-2023-33246, is in Apache RocketMQ versions 5.1.0 and below. Another reference in the ArsTechnica article to CVE-2021-4043, affects gpac, a multimedia framework.

The ArsTechnica article contains significant details about the malware, how it infects servers, and how it protects itself. An article in Aqua claims that this malware targets millions of Linux servers.

The bad news

Although there are only two vulnerabilities known to be currently exploited as seen in the listed CVEs, the methods used by this Perfectl malware can be used against thousands of vulnerabilities. Perfectl is designed to locate any of up to 20,000 vulnerabilities, most of which are common software misconfigurations and unpatched software. This opens up a pool of millions of Linux servers that might be misconfigured or whose software hasn’t been kept properly updated.

The good news

So in the three years Perfectl has been trying to infect Linux servers, it’s only been able to crack into “thousands,” not the millions we typically see for Windows infections in a few hours or days.

Hosts that have been kept current with updates and patches are far less likely to be infected. Proper configuration for all server software, especially those with outward facing interfaces such as web sites, are also much less vulnerable.

Be safe

Keep all your hosts current with updates and upgrades. I know that the Pointy Haired Bosses want to maintain the status quo because updates mean changes and possible problems, but the consequences of not performing updates is far worse. And check all your servers, especially those that allow incoming connections from the Internet, to ensure that they are properly configured.