| <quote>
Preventative Mitigations NOTE: The mitigations that follow are not meant to protect against the initial access vector. The
mitigations are designed to prevent Drovorub’s persistence and hiding technique only. Apply Linux Updates System administrators should continually check for and run the latest version of vendor-supplied software
for computer systems in order to take advantage of software advancements and the latest security
detection and mitigation safeguards (National Security Agency, 2018). System administrators should
update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement. Prevent Untrusted Kernel Modules System owners are advised to configure systems to load only modules with a valid digital signature
making it more difficult for an actor to introduce a malicious kernel module into the system. An adversary
could use a malicious kernel module to control the system, hide, or persist across reboots (National
Security Agency, 2017). Activating UEFI Secure Boot is necessary to ensure that only signed kernel modules can be loaded. This
requires a UEFI-compliant platform configured in UEFI native mode (not legacy or compatibility modes) in
Thorough or Full enforcement mode. Once enabled, Secure Boot creates an integrity chain at boot by
verifying signatures of firmware, bootloader(s), and Machine Owner Key (MOK). The kernel, initial
filesystem, and kernel modules are then verified by this MOK, which is distributed with Secure Boot-ready
Linux distributions. Components with untrusted or absent signatures are denied from execution by Secure
Boot policy. Enabling Secure Boot may prevent some products from loading, potentially affecting system
functionality, and may require custom configuration (National Security Agency, 2017).
</quote> |