Malware attacking Linux systems has risen dramatically in the last year, with threat actors employing a range of methods to carry out their attacks.
Linux is a prized possession. It serves as the operating system for a variety of application backends and servers, as well as a wide range of internet of things (IoT) devices. Despite this, not enough is being done to safeguard the machines that power it.
“Linux malware has been vastly underappreciated,” says Giovanni Vigna, VMware’s senior director of threat intelligence. “Because most cloud servers run Linux, compromising Linux-based platforms lets the attacker to get access to vast amounts of resources or inflict significant harm through ransomware and wipers.”
Cybercriminals and nation-state actors have been targeting Linux-based systems in recent years. According to a recent VMware research, the objective was frequently to penetrate business and government networks or get access to key infrastructure. They take use of a variety of vulnerabilities, including weak authentication, unpatched vulnerabilities, and server misconfigurations.
Linux malware is growing more diversified as well as more widespread. Intezer, a security firm, examined the coding originality of malware variants to discover how creative their programmers are. Most malware categories, including ransomware, banking trojans, and botnets, saw a rise in 2021 compared to 2020. According to a research, “this surge in Linux targeting may be associated with companies progressively shifting into cloud environments, which typically rely on Linux for their operation.”
As Linux malware evolves, companies must pay close attention to the most frequent assaults and strengthen security at every turn. “While Linux has the potential to be more secure than other operating systems, it’s crucial to remember that an operating system is only as safe as its weakest link,” says Ronnie Tokazowski, Cofense’s lead threat adviser.
These are the six types of Linux attacks to be aware of:
- Virtual machine images are the target of ransomware.
Ransomware groups have been snooping around Linux installations in recent years. The malware samples vary widely in quality, but gangs like Conti, DarkSide, REvil, and Hive are quickly improving their skill sets.
Ransomware attacks against cloud systems are usually well organised. Cybercriminals, according to VMware, strive to totally breach their target before encrypting their information.
RansomExx/Defray777 and Conti have recently started targeting Linux host images used for workloads in virtualized environments. “This new and concerning development demonstrates how attackers search for the most valuable assets in cloud settings in order to cause the most harm,” according to the VMware research.
These gangs are particularly interested in encrypting virtual machine images housed on ESXi Hypervisors since they know it may have a substantial impact on operations. It’s “a common theme in the ransomware landscape to develop new binaries specifically to encrypt virtual machines and their management environments,” a report by security company Trellix read.
According to a research by security firm Trellix, it’s “a prevalent motif in the ransomware field to design new binaries expressly to encrypt virtual machines and associated administrative environments.”
- Cryptojacking is becoming more common.
Cryptojacking is one of the most common forms of Linux malware due to its ability to generate money rapidly. According to Tokazowski, “the goal of this malware is to leverage computing resources to produce coins for an attacker,” usually Monero.
In 2018, Tesla’s public cloud became a victim of one of the first noteworthy hacks. According to cloud monitoring company RedLock, “the hackers had penetrated Tesla’s Kubernetes console, which was not password secured.” “Access credentials to Tesla’s AWS environment were exposed within one Kubernetes pod, which held an Amazon S3 (Amazon Simple Storage Service) bucket containing sensitive data like as telemetry.”
Cryptojacking has grown increasingly common, with the XMRig and Sysrv cryptominer families being two of the most well-known. According to a SonicWall analysis, the number of attempts increased by 19% in 2021 compared to 2020. According to the statement, “this surge was in the triple digits for government and healthcare consumers, with cryptojacking reaching 709 percent and 218 percent, respectively.” On average, 338 cryptojacking attempts were detected per client network, according to the security firm.
According to Tokazowski, several gangs employ default password lists, bash attacks, or exploits that deliberately target misconfigured computers with poor security to target their victims. “Directory traversal attacks, remote file inclusion attacks, and relying on misconfigured processes with default instals are some of these misconfigurations,” he explains.
According to CrowdStrike, the number of Mirai malware variants developed for Intel-powered Linux computers more than doubled in the first quarter of 2022 compared to the first quarter of 2021, with the 32-bit x86 processors seeing the most growth. According to the research, “Mirai variants are constantly evolving to target unpatched vulnerabilities to widen their attack surface.”
- IoT is targeted by three malware families: XorDDoS, Mirai, and Mozi.
XorDDoS is another popular Linux Trojan. This threat has increased by 254 percent in the previous six months, according to Microsoft. To maximise the chances of a successful infection, XorDDoS employs variations of itself built for ARM, x86, and x64 Linux platforms. It utilises brute-force assaults to acquire access to its targets, similar to Mirai, and then checks for Docker servers with port 2375 open to get remote root access.
Mozi attacks its targets in a similar way, but it subsequently blocks the SSH and Telnet ports to prevent other malware from taking its place. It generates a peer-to-peer botnet network and hides its connection with the command-and-control server behind normal DHT traffic using the distributed hash table (DHT) protocol.
According to Fortinet’s Global Threat Landscape Report, the behaviour of the most effective botnets remains steady over time. The security firm revealed that malware developers put a lot of work into making sure the infection lasts for a long time, which implies that rebooting the device should not remove the hacker’s control over the infected device.
- State-sponsored assaults are aimed at Linux-based systems.
Researchers that track nation-state actors have found that they are increasingly targeting Linux systems. “With the start of the Russian-Ukraine war, a lot of Linux malware was deployed, including wipers,” says Ryan Robinson, a security researcher at Intezer. According to Cyfirma, the Russian APT organisation Sandworm allegedly hacked Linux systems of UK and US institutions a few days before the strike began.
ESET was one of the firms that kept a close eye on the war and its consequences for cybersecurity. “We were looking into Industroyer2, an assault on a Ukrainian energy supplier, around a month ago,” explains Marc-Étienne Léveillé, ESET’s senior malware researcher. “Worms for Linux and Solaris were used in this assault, which propagated over SSH and perhaps stolen passwords. This was a highly focused attack with the obvious goal of eradicating data from databases and file systems.”
Wiper for Linux “According to ESET’s paper, “dd (with if=/dev/random) destroys the whole content of the discs attached to the system if shred is available or just dd (with if=/dev/random) otherwise destroys the entire content of the discs associated to the system.” Data removal is done in parallel if numerous drives are inserted to speed up the process.” ESET, in collaboration with CERT-UA, identified the malware as belonging to the Sandstorm APT gang, which utilised Industroyer to shut off electricity in Ukraine in 2016.
Other nation-state actors, according to Microsoft and Mandiant, have been exploiting the famed Log4j bug on both Windows and Linux computers to get access to the networks they target.
- It’s tough to spot fileless assaults.
Multiple actors, including TeamTNT, have begun to employ Ezuri, an open-source tool developed in Golang, according to security experts at AT&T’s Alien Labs. Ezuri is used by attackers to encrypt harmful programmes. The payload is decrypted and processed immediately from memory, leaving no traces on the disc, making these assaults difficult to detect by antivirus software.
TeamTNT, the major group linked with this approach, targets Docker systems that aren’t properly setup in order to install DDoS bots and cryptominers.
In order to target additional systems, attackers copied functionality from Windows tools to Linux. Vermilion Strike, for example, is based on CobaltStrike, a famous penetration testing tool for Windows, but it can be used to target both Windows and Linux. Vermilion Strike grants remote access to attackers, allowing them to manipulate files and run shell commands. The tool was used against telecommunications corporations, government organisations, and financial institutions, with the attackers’ primary goal being espionage.
“Vermilion Strike may not be the only Linux implementation” of the CobaltStrike Beacon, according to Intezer researchers.
Malware that targets Linux environments must be protected
When sysadmins and developers are pressed for time and deadlines, security suffers the most. Developers, for example, may uncritically trust community-sourced code, copying and pasting code from Stack Overflow, running software rapidly after cloning a GitHub repository, or deploying an app directly from Docker Hub into their production environment.
This “economy of attention” is exploited by opportunistic attackers. They embed cryptominers in Docker containers or construct open-source packages with names that are almost identical to widely used libraries, capitalising on developers’ occasional spelling errors.
“Exploitation of open Docker and Kubernetes deployments is pretty interesting,” says VMware’s Vigna. “Careless people leave their container deployments open to the world, and these installations are easily taken over and used as a bridgehead for further attacks or other monetization activity, such as Monero mining.”
“I am an ardent, evangelical supporter of open-source software and culture, but the fragility of the chain of trust involved in public software repositories gives me the creeps,” says Ryan Cribelar, vulnerability research engineer at Nucleus Security. “Of course, this isn’t a Linux-specific worry, but a malicious library hiding in PyPi or NPM repositories, for example, will undoubtedly cause the most sleep loss among Linux admins and security teams.”
Misconfigurations on Linux servers are also a major problem, and they can occur at any point in one’s system. “Firewall or security group settings are frequently misconfigured to provide access to the wider internet, giving external access to installed applications on Linux servers,” according to Robinson of Intezer.
It’s typical for applications to be misconfigured to enable access without authentication or with default credentials. “Attackers will be able to steal information or run harmful code on the Linux server depending on the misconfigured application,” Robinson says. “Common instances include misconfigured Docker daemons, which allow attackers to launch their own containers, and misconfigured apps, such as Apache Airflow, which leak passwords and customer information.” Robinson goes on to say that default setting does not always equal secure configuration.
Another concern, according to Joel Spurlock, senior director of malware research at CrowdStrike, is patching. He claims that businesses are “either unable or unwilling” to maintain their devices current. Patching should be done on a regular basis, and phrases like EDR and zero trust should be discussed.
Malware that targets Linux settings flourishes in a large playground of consumer devices and servers, virtualized environments, and specialised operating systems, so the security measures required to defend them all necessitate concentration and thorough preparation.
