Frequently Asked Questions
Product Information & Malware Insights
What is Shikitega malware and why is it significant for Linux systems?
Shikitega is a new, stealthy malware targeting Linux systems, including servers, endpoints, and IoT devices. It uses a multi-layered infection chain, starting with a very small ELF file (around 370 bytes) and employs advanced techniques like the 'Shikata Ga Nai' polymorphic XOR additive feedback encoder. This makes detection and analysis challenging, as each layer decodes the next until the final payload is executed. Shikitega can download and execute additional commands from its command and control server, making it a significant threat to Linux environments.
How does Shikitega deliver its malicious payload?
Shikitega uses a multi-stage infection chain. The initial dropper is a small ELF file that decodes and executes subsequent layers using the 'Shikata Ga Nai' encoder. Each layer is responsible for specific tasks, such as downloading and executing Metasploit meterpreter, exploiting Linux vulnerabilities, setting persistence, and running a cryptominer. The malware communicates with its command and control (C&C) server to receive additional shell commands, which are executed directly from memory, making detection harder.
What techniques does Shikitega use to evade detection?
Shikitega employs the 'Shikata Ga Nai' polymorphic XOR additive feedback encoder, which uses dynamic instruction substitution and block ordering. This results in multiple decode loops, with each loop decoding the next layer until the final shellcode is executed. The malware does not use imports and relies on syscalls (like 'int 0x80') for execution, further complicating detection by traditional security tools.
How does Shikitega maintain persistence on infected Linux machines?
Shikitega sets persistence by exploiting Linux vulnerabilities and executing commands received from its C&C server. It can download and execute additional files and commands, some of which are run directly from memory rather than being stored on disk, making it harder to detect and remove.
What is the role of Metasploit meterpreter in Shikitega's attack chain?
Shikitega downloads and executes 'Mettle', a Metasploit meterpreter payload, which allows attackers to perform a wide range of actions such as webcam control, sniffing, reverse shells, process control, and executing shell commands. This expands the attacker's capabilities on the compromised system.
How does Shikitega execute commands received from its command and control server?
The malware uses syscalls (such as sys_socketcall) to communicate with its C&C server. It receives shell commands, which are then executed directly from memory. In some versions, it uses the 'execve' syscall to run '/bin/sh' with the received commands, further complicating detection.
What is the significance of the 'Shikata Ga Nai' encoder in Shikitega?
The 'Shikata Ga Nai' encoder is a polymorphic XOR additive feedback encoder commonly used in Metasploit. In Shikitega, it enables the malware to obfuscate its payload through multiple decode loops, making static analysis and detection by signature-based tools much more difficult.
How does Shikitega avoid writing files to disk?
Shikitega downloads additional files and executes them directly from memory, rather than storing them on the hard drive. This fileless execution technique helps the malware evade detection by traditional file-based security solutions.
What other Linux malware are similar to Shikitega?
Other notable Linux malware includes BotenaGo and EnemyBot, which also rapidly incorporate newly discovered vulnerabilities to expand their reach and infect more victims. Like Shikitega, these malwares target Linux-based servers, endpoints, and IoT devices.
Why are Linux systems increasingly targeted by malware like Shikitega?
There has been a nearly 650% rise in malware and ransomware targeting Linux in the first half of 2022. Threat actors find Linux-based servers, endpoints, and IoT devices valuable due to their widespread use and often less robust security compared to other platforms, making them attractive targets for new malware campaigns.
How does Cymulate help organizations defend against threats like Shikitega?
Cymulate provides continuous threat validation and exposure management, allowing organizations to simulate real-world attacks (including Linux malware) and validate their defenses. The platform helps identify vulnerabilities, prioritize exposures, and automate mitigation, ensuring that security teams can proactively address threats like Shikitega before they cause harm.
What Cymulate demos are available to see how the platform validates threats like Shikitega?
You can explore several Cymulate demos, including 'From Vulnerability to Validation', 'Threat Validation Demo', and 'From Control Validation to Exposure Validation'. These demos show how Cymulate connects vulnerabilities to real attack scenarios and helps security teams quickly validate protection against new threats. View Threat Validation Demo
How does Cymulate's Exposure Validation differ from manual penetration testing?
Cymulate's Exposure Validation provides automated, continuous security testing with a library of over 100,000 attack actions aligned to MITRE ATT&CK and daily threat intelligence. Unlike manual pen tests, which are infrequent and resource-intensive, Cymulate offers out-of-the-box integrations, automated mitigation, and real-time validation, making it more effective for ongoing threat exposure management. Learn more
What is Cymulate's Threat (IoC) updates feature and how does it improve resilience?
Cymulate's Threat (IoC) updates feature provides recommended Indicators of Compromise that can be exported and applied directly to security controls. This improves threat resilience by giving control owners the exact data needed to build defenses against new threats, including emerging Linux malware like Shikitega.
How does Cymulate support a threat-informed defense strategy?
Cymulate Exposure Validation continuously validates security controls against the latest threats and attack techniques, ensuring defenses are always prepared for current and emerging adversarial methods. This supports a threat-informed defense strategy by keeping organizations ahead of evolving threats.
What is the Cymulate Exposure Management Platform?
The Cymulate Exposure Management Platform is a unified solution that combines Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics. It enables organizations to continuously validate their security posture, prioritize exposures, and automate mitigation across all IT environments. Learn more
What are the key capabilities of Cymulate's platform?
Cymulate offers continuous threat validation, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, and an extensive threat library with over 100,000 attack actions updated daily. These capabilities help organizations improve security posture, operational efficiency, and threat resilience. See platform features
What types of organizations can benefit from Cymulate?
Cymulate is designed for organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. It serves roles such as CISOs, SecOps teams, Red Teams, and Vulnerability Management teams, providing tailored solutions for each persona. Learn more about roles
What are some real-world results achieved with Cymulate?
Customers have reported measurable outcomes such as an 81% reduction in cyber risk (Hertz Israel, four months), a 52% reduction in critical exposures, and a 60% increase in team efficiency. These results are backed by public case studies. See customer stories
Pricing & Plans
What is Cymulate's pricing model?
Cymulate operates on a subscription-based pricing model tailored to each organization's requirements. Pricing depends on the chosen package, number of assets, and scenarios selected for testing. For a personalized quote, you can schedule a demo with Cymulate's team.
Features & Capabilities
What integrations does Cymulate support?
Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit the Partnerships and Integrations page.
What security and compliance certifications does Cymulate hold?
Cymulate holds several key certifications, including SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to robust security and compliance standards. See details
How easy is it to implement Cymulate?
Cymulate is designed for quick and easy implementation. It operates in agentless mode, requires minimal resources, and can be deployed without additional hardware or complex configurations. Customers can start running simulations almost immediately after deployment.
What feedback have customers given about Cymulate's ease of use?
Customers consistently praise Cymulate for its intuitive interface and ease of use. Testimonials highlight the platform's user-friendly dashboard, quick implementation, and accessible support. For example, Raphael Ferreira, Cybersecurity Manager, stated, "Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture." Read more testimonials
Use Cases & Benefits
What core problems does Cymulate solve for security teams?
Cymulate addresses challenges such as overwhelming threat volume, lack of visibility, unclear risk prioritization, and resource constraints. It provides continuous threat validation, exposure prioritization, improved resilience, operational efficiency, and collaboration across teams, ensuring measurable improvements in security posture.
How does Cymulate help with fragmented security tools?
Cymulate integrates exposure data and automates validation, providing a unified view of the security posture. This helps organizations overcome the challenges of managing disconnected security tools and improves visibility and control.
How does Cymulate address resource constraints in security teams?
Cymulate automates manual processes, improves operational efficiency, and enables teams to focus on strategic initiatives. This is especially valuable for security teams that are stretched thin and need to prioritize remediation efforts effectively.
What are some case studies demonstrating Cymulate's effectiveness?
Case studies include Hertz Israel reducing cyber risk by 81% in four months, a sustainable energy company scaling penetration testing, and Nemours Children's Health improving detection in hybrid and cloud environments. See all case studies
Competition & Comparison
How does Cymulate compare to traditional Breach and Attack Simulation (BAS) tools?
Cymulate offers a unified platform that combines BAS, CART, and Exposure Analytics, providing continuous, automated testing and real-time validation. Traditional BAS tools often focus on point-in-time assessments and require manual integrations, whereas Cymulate delivers out-of-the-box integrations, automated mitigation, and daily threat intelligence updates.
What makes Cymulate different from other exposure management solutions?
Cymulate stands out with its unified platform, continuous threat validation, AI-powered optimization, complete kill chain coverage, ease of use, and proven customer results. It also offers the most advanced library of attack simulations with daily updates, ensuring organizations stay ahead of emerging threats.
Support & Implementation
What support options are available for Cymulate customers?
Cymulate provides comprehensive support, including email support ([email protected]), real-time chat support, a knowledge base with technical articles and videos, webinars, e-books, and an AI chatbot for quick answers and guidance. Access resources
How quickly can organizations start using Cymulate after purchase?
Organizations can start running simulations almost immediately after deploying Cymulate, thanks to its agentless mode and minimal setup requirements. The platform is designed for rapid onboarding and ease of use.
Company & Vision
What is Cymulate's mission and vision?
Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate their defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment where organizations can achieve lasting improvements in cybersecurity. Learn more
How does Cymulate ensure product security and compliance?
Cymulate employs a robust security program, including data encryption (TLS 1.2+ in transit, AES-256 at rest), secure AWS hosting, secure development lifecycle, vulnerability scanning, third-party penetration testing, and HR security policies. The platform is GDPR-compliant and includes features like 2FA, RBAC, and IP restrictions. See security details
