Breaking down firewalls with BPFDoor (no e!) – How to detect it with Falco

The blog post explores the use of BPF (Berkeley Packet Filter) by the threat actor group Red Menshen to create a stealthy backdoor known as BPFDoor, which has been used to gain unauthorized remote access to compromised devices since at least 2018. BPF allows users to filter network packets, which Red Menshen exploited to bypass firewalls and execute actions via specific "magic" packets that trigger the backdoor's functionalities such as establishing reverse shells or performing liveness checks. The text discusses the challenges of detecting BPFDoor due to its ability to operate at a high privilege level, similar to many runtime agents, but highlights that the open-source tool Falco can potentially detect it by monitoring for anomalous executions, such as the use of the setsockopt syscall to attach a BPF. While preventive measures like restricting certain Linux capabilities can be taken, they may be ineffective if BPFDoor runs with root privileges, emphasizing the need for robust detection tools like Falco in cloud-native environments.