At Elastic Security Labs, we uncovered PUMAKIT, a sophisticated multi-stage Linux malware with advanced rootkit capabilities. Initially identified through routine threat hunting on VirusTotal, PUMAKIT consists of a dropper (cron), two memory-resident executables, an LKM rootkit module, and a userland shared object (SO) …

Read More

At Elastic, we recognize the critical need for securing containerized applications in Kubernetes and cloud environments. To enhance runtime security, we’ve integrated Falco—an open-source cloud-native security tool—directly with Elastic Security. Falco leverages Linux kernel events and plugins to detect abnormal …

Read More

At Elastic Security Labs, we analyzed a critical set of vulnerabilities in the CUPS printing system, disclosed by security researcher Simone Margaritelli (@evilsocket) on September 26, 2024. These flaws, affecting CUPS versions ≤ 2.0.1, enable unauthenticated remote attackers to achieve remote code execution (RCE) via …

Read More

At Elastic Security Labs, we uncovered a sophisticated Linux malware campaign exploiting Apache2 servers since March 2024. Attackers used multiple malware families, including KAIJI (DDoS) and RUDEDEVIL (crypto miner), along with custom tools for persistence and control. They leveraged C2 channels disguised as kernel …

Read More

This research delves into large-scale malware analysis conducted by Elastic Security Labs, highlighting how Elastic ingest pipelines were used to filter out benign and duplicate data during dynamic malware analysis. By leveraging these pipelines, we efficiently managed vast datasets, enabling us to focus on identifying …

Read More