One of the latest variants of Gafgyt targets Linux-based systems with weak SSH passwords to ultimately install cryptocurrency miners. Aqua Runtime Protection is particularly effective at defending against this variant’s use of fileless execution and its cryptomining payload, enabling enterprises to protect their critical AI infrastructure.
Step-by-Step Guide
1. Create a Runtime Policy
Log in to the Aqua console and go to Workload Protection > Policies > Runtime Policies.
2. Add a Container Runtime Policy
Click Add Policy, give it a name, and choose Container Runtime Policy from the list.
3. Enable Key Runtime Controls
Check protections like:
- Block Cryptocurrency Mining
- Block Fileless Execution
4. Set the Enforcement Mode –
Set the Enforcement Mode to Audit to monitor activity or Enforce to actively block malicious behavior.
For more prevention and remediation strategies, including Aqua’s Runtime Protection Policies, visit our Support Portal.
Gafgyt: An Old Threat with a New Twist
You may not be able to teach an old dog new tricks, but malware is a different beast altogether.
Gafgyt, also known as Bashlite or Lizekbab, first emerged in 2014 as a malware targeting Internet of Things (IoT) devices, exploiting weak SSH credentials to gain control of devices and recruit them into massive botnets. Since then, Gafgyt’s source code was leaked, which has fueled the emergence of new versions and adaptations. One of these newer variants is looking beyond IoT devices, targeting cloud native environments with ample CPU and GPU computational power.
The reason behind this shift quickly becomes clear once you look at the new attack pattern. This Gafgyt variant aims to monetize the botnet by installing a cryptocurrency miner known as XMRIG via fileless execution. To mine crypto effectively, it needs hosts with strong CPU and GPU capabilities.
With businesses worldwide expanding their use of AI, this variant of Gafgyt is particularly dangerous. Gafgyt is now targeting these critical AI environments directly, threatening to drive up cloud costs and degrade cloud performance if it gains access.
Defense in Depth: The Key to Stopping Gafgyt
Gafgyt isn’t a complex malware, but it is brutally efficient at capitalizing on forgotten exposures and configuration creep. Defense in depth is a practical way to stop a primitive but persistent threat like Gafgyt from ever succeeding.
The Aqua Platform gives you defense in depth with a single, unified platform for protecting your AI environments. You can use Aqua’s CSPM capabilities to surface SSH that may be exposed unintentionally and Aqua’s advanced Runtime Protection capabilities to detect and stop malicious activity in production.
Aqua Runtime Protection is particularly effective at defending against this variant of Gafgyt. It uses a unique technology that monitors your container’s kernel for malicious behavior. These detection capabilities are continually updated based on cutting-edge research into real-world attacks. Since Gafgyt uses fileless execution as well as numerous other malicious and suspicious techniques, Aqua will instantly flag it as a cyberattack. Aqua can also detect and automatically block the cryptomining payload.
To learn more about this new Gafgyt variant and what you can do to protect your AI workloads against it,
read our blog Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments.
Don’t wait for an attack to reveal the gaps
Contact your Aqua Sales Representative or Customer Success Manager today to learn how
Aqua runtime security helps to protect against real-world malware like Gafgyt
