LinkPro is a newly identified Linux rootkit targeting cloud-hosted infrastructure, notably AWS environments running Kubernetes clusters. The attack chain begins with exploiting a critical Jenkins server vulnerability (CVE-2024-23897, CVSS 9.8) to gain initial access. Subsequently, attackers deploy a malicious Docker image containing a Kali Linux base and custom tools, including a VPN/proxy server and a Rust-based downloader that fetches an encrypted payload from an S3 bucket. LinkPro itself is a Golang-based rootkit that installs two eBPF modules: one ('Hide') uses Tracepoint and Kretprobe eBPF programs to intercept system calls like getdents and sys_bpf, effectively hiding processes, files, and its own eBPF programs at the kernel level. If kernel support is lacking, it falls back to user-space hiding by injecting a malicious shared library (libld.so) via /etc/ld.so.preload, hooking libc functions to mask its presence. The second module ('Knock') uses XDP and Traffic Control eBPF programs to listen for a 'magic packet'—a TCP packet with a window size of 54321. Upon receiving this packet, the rootkit records the source IP and opens a one-hour window to accept commands from that IP, modifying packet headers to evade firewall detection and log correlation. LinkPro supports both active (forward) and passive (reverse) communication modes, with multiple protocols including HTTP, WebSocket, UDP, TCP, and DNS. Commands include spawning interactive shells, file enumeration and manipulation, file downloads, and establishing SOCKS5 proxy tunnels. Persistence is achieved via systemd service installation. On receiving termination signals, LinkPro removes its eBPF modules and restores modified system files to avoid forensic detection. The rootkit’s use of eBPF for stealth and activation is novel and complicates detection and mitigation efforts. The initial infection vector through a critical Jenkins vulnerability highlights the importance of patching and securing CI/CD infrastructure. No public exploits of LinkPro itself have been observed, but its deployment in cloud environments with Kubernetes clusters poses a significant risk to organizations relying on these technologies.

For European organizations, LinkPro represents a significant threat primarily to those operating cloud-native environments on AWS or similar platforms, especially if they use Jenkins for CI/CD and Kubernetes for container orchestration. The rootkit’s stealth capabilities make detection difficult, increasing the risk of prolonged undetected intrusions. Attackers can remotely execute arbitrary commands, manipulate files, and pivot through compromised hosts using proxy tunnels, potentially leading to data exfiltration, lateral movement, and disruption of services. The use of a magic packet for activation reduces noise and lowers the chance of triggering alerts, complicating incident response. Organizations in sectors with high reliance on cloud infrastructure—such as finance, telecommunications, and critical infrastructure—may face operational disruptions and data breaches. The manipulation of firewall logs and network traffic hinders forensic investigations and threat hunting. Additionally, the exploitation of a critical Jenkins vulnerability underscores the risk posed by unpatched CI/CD pipelines, which are common in European enterprises adopting DevOps practices. Overall, the threat could lead to confidentiality breaches, integrity compromises, and availability issues if attackers leverage the rootkit to deploy ransomware or sabotage operations.

European organizations should prioritize patching the Jenkins vulnerability CVE-2024-23897 immediately to prevent initial compromise. Implement strict access controls and network segmentation for CI/CD infrastructure and Kubernetes clusters to limit lateral movement. Monitor for unusual eBPF module loading and modifications to /etc/ld.so.preload, which are strong indicators of LinkPro infection. Deploy kernel integrity monitoring and enable auditing of system calls related to process and file enumeration. Use advanced endpoint detection and response (EDR) solutions capable of detecting eBPF-based rootkits and anomalous network traffic patterns, including unusual TCP packets with window size 54321. Harden firewall rules and implement deep packet inspection to detect and block magic packets and suspicious port manipulations. Regularly audit Docker images and container registries to prevent deployment of malicious images. Employ threat hunting focused on systemd service anomalies and unexpected network proxy tunnels. Establish robust incident response plans that include procedures for eBPF rootkit removal and system restoration. Finally, conduct regular security training for DevOps teams to recognize and mitigate supply chain and CI/CD risks.