EXECUTIVE SUMMARY:
A Linux rootkit leveraging extended Berkeley Packet Filter (eBPF) primitives was discovered during an incident response on a cloud-hosted environment; the intrusion chain began with a known Jenkins server vulnerability (CVE-2024-23897) that provided initial access. The attacker used that CVE to deploy a malicious container image (kvlnt/vv) across multiple Kubernetes clusters. Instead of loading a noisy kernel module, the adversary abused eBPF — a legitimate in-kernel execution environment — to implement concealment and remote activation. Two eBPF components were observed: one for hiding artifacts (processes, sockets) and another for activation via a specially crafted “magic” packet. The compromise highlights the risk of exposed CI/CD services and permissive container runtimes.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A Linux rootkit leveraging extended Berkeley Packet Filter (eBPF) primitives was discovered during an incident response on a cloud-hosted environment; the intrusion chain began with a known Jenkins server vulnerability (CVE-2024-23897) that provided initial access. The attacker used that CVE to deploy a malicious container image (kvlnt/vv) across multiple Kubernetes clusters. Instead of loading a noisy kernel module, the adversary abused eBPF — a legitimate in-kernel execution environment — to implement concealment and remote activation. Two eBPF components were observed: one for hiding artifacts (processes, sockets) and another for activation via a specially crafted “magic” packet. The compromise highlights the risk of exposed CI/CD services and permissive container runtimes.[emaillocker id="1283"]
The malicious container’s startup scripts enabled persistence and remote access: they loosened SSH settings, launched a downloader that fetched an encrypted payload from cloud storage, and ran a relay client that tunneled traffic to a remote command-and-control relay. The eBPF rootkit used two cooperating programs — an XDP/TC hook to detect the magic packet and trigger behavior, and BPF hooks into kernel networking and syscall paths to hide processes and suppress network visibility. State was stored in BPF maps and pinned objects to survive userland restarts. By using eBPF, the operator avoided loadable kernel modules and left mainly in-memory and ephemeral network artifacts, complicating detection, and forensic recovery.
This case shows attackers weaponizing legitimate kernel features to gain stealthy, persistent access with minimal forensic footprint. Because the initial entry exploited CVE-2024-23897 in a Jenkins instance, immediate steps include patching or replacing affected CI/CD infrastructure, rotating exposed credentials, and removing untrusted container images. Mitigations should limit container capabilities (e.g., CAP_BPF, CAP_NET_ADMIN), enforce image provenance, and harden orchestration settings. Detection should monitor for unexpected eBPF loads, pinned maps, XDP/TC attachments, and proxy-like relay traffic. Adopt defense-in-depth: timely patching, runtime integrity checks, and focused threat hunting for kernel-level anomalies to reduce the risk of eBPF-based compromises.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Persistence | T1543.002 | Create or Modify System Process | Systemd Service |
| T1574.006 | Hijack Execution Flow | Dynamic Linker Hijacking | |
| Defence Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| T1070.006 | Indicator Removal | Timestomp | |
| T1014 | Rootkit | — | |
| T1027 | Obfuscated Files or Information | — | |
| T1562.007 | Impair Defenses | Disable or Modify Cloud Firewall |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]