Sandfly 2.1 Released
August 06, 2019
Sandfly 2.1 has been released. We have expanded MIPS and ARM CPU coverage for embedded Linux devices, boosted our bindshell backdoor coverage and added in new sniffer and rogue sudo user detection as well as other new Sandfly checks. We also added in binary forensic data on process alerts to speed up incident response. Finally, we have updated the custom Sandfly JSON format to prepare for future features.
Linux MIPS and ARM CPU Security Coverage
Our goal is complete coverage of Linux no matter where it runs. An unprotected $20 embedded Linux device is just as dangerous as an unprotected web server. Our agentless security coverage is much better than any agent-based security product because we can run on devices where agent-based systems can’t. Now, it’s even better because we cover more MIPS and ARM CPUs along with standard Intel/AMD variants.
We expanded our embedded system coverage with MIPS and ARM CPUs that are common in devices like Ubiquiti firewall routers (e.g. EdgeRouter Lite), Raspberry Pi, and others. This ability has always been a part of Sandfly, but we now expanded it to cover more variants of these CPUs. We can now provide agentless security on many types of Linux devices from large database clusters in the cloud, down to the Raspberry Pi running in an appliance.
Expanded Bindshell Backdoor Coverage
We have expanded the ability of Sandfly to detect even more backdoor types. We will now flag suspicious shells attached to network ports as well as expanded socat, python, ruby, netcat, and perl backdoors.
PCAP Sniffer Detection
We have added the ability to flag processes operating as sniffers based on the file types they have open. Processes writing out data to packet capture (PCAP) files will be flagged as likely sniffers operating on the remote host. We also will flag PCAP files in suspicious locations on top of this.
Suspicious sudo Entries
We have been seeing malware using entries under various sudoer files to give compromised accounts sudo access (especially the user www-data). We will now flag known suspicious entries. You can of course clone these entries to create your own list of prohibited users.
Suspicious Process Maps
Process maps on Linux often show suspicious locations in malicious binaries. We’ll now flag any process that has a mapping that is in a suspicious directory location common with malware and rootkits.
Process Binary Forensics Attached to Process Alerts
We now attach full file forensics of the binary that was used to start a process that was flagged as an alert. This will help incident responders see when the file was created, file hashes, file attributes and other forensic details rapidly.
New JSON Format For Sandflies
In preparation for some new features, we have changed the custom JSON format for sandflies to make it more consistent and expandable for the future. More details will be coming, but these changes will allow for some powerful new capabilities. We expect this JSON format to remain stable going forward. If you made custom Sandfly changes since the 2.0 release, please contact us and we will help you update to the new 2.1 format.
False Alarms Fixed
Sandfly 2.0 had a massive increase in detection capability (from around 200 checks to now over 520) and we had a few false alarms show up in the process. These have been fixed and we thank our customers that reported them.
Old Results Deleted after Upgrade
In the process of updating the Sandfly JSON format, we are deleting all old results from the database so the legacy keywords will not be active. This is a one time operation. If you need to save certain results, please use the export function in the UI before upgrading. After upgrading, the old results will be deleted and new results with new keywords will be active.
How to Upgrade Sandfly
Sandfly is easy to upgrade. Please follow the instructions here:Upgrading Sandfly
Thank you to our customers that have submitted feature requests and bugs. Sandfly 2.1 is preparing for some powerful new capabilities. Thanks for using Sandfly.