The extended Berkeley Packet Filter (eBPF) filters data packets from networks and embeds them in the operating system core. The technology supports users in the administration and protection of computers and networks. However, what administrators and security teams rarely take into account sufficiently: The packet filter has numerous vulnerabilities that can easily be misused by hackers for a cyber attack.
The extended Berkeley Packet Filter is a special purpose virtual machine that allows sandboxed programs to run in a privileged context, such as the operating system kernel. It forms an interface to data link layers of data units. The technology supports both administration and the protection of computers and networks.
Extended Berkeley Packet Filter - useful and dangerous
The eBPF can be used to filter data packets and prevent PC and network performance from being slowed down due to irrelevant data. Unusable or faulty data records can be rejected or repaired from the outset. eBPF also allows the use of new firewall and intrusion detection solutions, the defense against DDoS attacks and the implementation of audits on applications and operating system functions. This makes eBPF a valuable aid in defending against cyber attacks. But the data filter also has numerous weaknesses. And it's easy for cybercriminals to take advantage of - often unnoticed by security teams and security tools.
For example, attackers can target eBPF verifiers that validate eBPF programs in the kernel context. If they then discover a vulnerability in the kernel that allows unauthorized code to run, they can initiate a privilege escalation scenario. Through this, they elevate access privileges to launch a broader attack; for example a container or sandbox escape. The attacker then gets from the closed application package to the underlying host, from where he can penetrate other closed application packages or carry out actions on the host itself.
Rootkit upload via eBPF program
Another starting point for attackers is to use eBPF programs to install a rootkit on a victim's computer and implant itself in the core of the operating system. In order to successfully operate with eBPF rootkits - undetected by security teams and security solutions - the attacker only needs to hook in via a tracepoint hookpoint at the input of a system call to gain unnoticed access to all system call parameters.
The installed rootkit is then able to use XDP and TC infrastructures to manipulate access and communication or to extract sensitive data from the network. It can stealth itself, persist through various hook points, elevate process privileges, and even create backdoors. Such 'eBPF malware' is a real problem. Because most traditional endpoint protection solutions cannot detect them. Gal Yaniv, a member of Cymulate's SecDev team, recently showed in a blog post how easily hackers can use eBPF rootkits unnoticed in a Linux environment.
Do you have a moment?
Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.
Here you go directly to the survey
Dangerous: eBPF can be found in more and more IT infrastructures
And yet: eBPF is being used more and more frequently as a packet filter in IT infrastructures - without major security concerns on the part of the administrators, the IT and IT security teams. Because eBPF rootkits are virtually invisible to traditional endpoint security solutions, they are often unaware of the risks posed by deploying an eBPF packet filter. We can only advise you to finally take the initiative here and take a closer look at eBPF. As Gal Yaniv has already pointed out, to really be sure that IT environments are protected against this type of attack, there is only one thing to do: emulate, emulate and emulate again.
More at Cymulate.com
About Cymulate
Cymulate's solution for cybersecurity risk validation and exposure management provides security professionals with the ability to continuously validate their cybersecurity posture on-premises and in the cloud with end-to-end visualization via the MITER ATT&CK® framework , to validate and to optimize. The platform offers automated, expert and threat data-driven risk assessments that are easy to implement and can be easily used by organizations of all cybersecurity maturity levels. In addition, it provides an open framework for creating and automating Red and Purple teaming exercises, tailoring penetration scenarios and advanced attack campaigns for specific environments and security policies.