Linux Attackers Take Advantage of Unpatched Vulnerabilities

Linux operating systems are being targeted by malicious actors as organizations increase their digital footprint in the cloud, with many attackers of the open source OS likely taking advantage of outdated software with unpatched vulnerabilities, according to the Linux Threat Report 2021 1H from Trend Micro.

The Trend Micro report, which investigates the top malware families affecting Linux servers during the first half of 2021, found a quarter of the malware attacks were cryptocurrency miners (coinminers) followed by Web shells (20%) and ransomware (12%).

Web shell and coinmining attacks differ in the ways they operate but are both very popular styles of attacks due to their potential profitability. Coinmining is directly profitable for cybercriminals who hijack an organization’s resources to mine cryptocurrency. As a result, without proper resource monitoring, this style of attack can go undetected for months—while the attackers sit back and collect the money.

Web shells are also profitable, but in a more broad sense; with this method, attackers could steal data, install ransomware or just maintain the shell—and sell access to other attackers.

According to the report, the most prevalent attack detected was the modern ransomware family DoppelPaymer, though other notable ransomware families included RansomExx, DarkRadiation and DarkSide were also seen targeting Linux systems.

End-of-Life is Just the Beginning for Cybercriminals

Most detections arose from systems running end-of-life versions of Linux distributions, including 44% from CentOS versions 7.4 to 7.9, and 200 different vulnerabilities were targeted in Linux environments in just six months.

“The answer to the question of why so many systems are still running end-of-life versions of Linux distributions is patching, misconfigurations and software-defined infrastructure,” explained Aaron Ansari, vice president of cloud security at Trend Micro. “People start out with outdated images, or misconfigure them or never patch them due to inability or fear of breaking the custom app.”

Shawn Smith, director of infrastructure at nVisium, said running end-of-life software is fairly common in open source communities because a large portion of the support received in those situations is via those community support channels.

“With closed-source software, you usually receive paid support when you buy the software and are forced to update when that support ends,” he explained. “However, with open source technology, you can bounce ideas off people for years beyond the end of life while you continue to troubleshoot bugs and keep services running for your organization.”

John Bambenek, threat intelligence advisor at Netenrich, also pointed out that many organizations deploy cloud resources under the mistaken impression that the cloud provider is securing it.

“Even in platform-as-a-service (PaaS) offerings, custom code, third-party libraries and other aspects of web applications still need to be updated and secured. For those running virtual images, they have to be updated and patched regularly,” he said. “The rush to the cloud under the aegis of DevOps has shown that ignoring security comes with real consequences.”

Bambenek warned that while developers may like to deploy instances quickly, unless security is actively involved, they are only creating more windows and greater access to sensitive data.

With Greater Linux Use Comes Great Responsibility

Ansari said with the growing number of organizations moving to Linux-based cloud environments, cybersecurity measures and threat defense strategies need to change.

“Visibility and expertise need to increase,” Ansari said. “This means the ability to see what’s happening in the environment as well as having the resources to keep the environments up-to-date and secure.”

He pointed out that with increased Linux adoption will come increased risk and expanded surface attack area, and said the dominance of Linux in the market—both for workloads and for the environments themselves—was the most surprising finding from the survey.

“Personally, I knew Linux had a large portion of the market share, but not the majority stake,“ he said. “Additionally, increased focus from the attackers will shift to Linux, since the keys to the kingdom will be there.”

Smith agreed, pointing out that he has already begun seen more attacks aimed at Linux-based virtual machine architecture.

“I expect that trend to continue as attackers aim to receive the best return on investment for their time spent attempting to compromise these environments,” he noted.

Bambenek explained many organizations still believe moving to the cloud means the cloud provider will secure them, but in many cases, this is not true.

“From open S3—or similar—buckets to virtual machines that are deployed with a base image and never patched, organizations still need to take steps to secure their cloud resources,” he said. “That means proactive management of access controls and patching, just like they would have to do for in-house resources.”

Smith said for the organizations already using Linux—or a mix of Linux and other operating systems within their infrastructure—the move to cloud environments should be a fairly smooth one.

This is because many of the same principles apply to Linux in the cloud as they do to running Linux on-premises.

“For any organization not currently using Linux, the transition might be a bit more difficult as they will need to train or hire Linux admins,” he said. “However, most cloud providers also support Windows Server—with some even supporting OSX. So, if organizations use either of those, they could still migrate and stick with what they know without too much difficulty.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 268 posts and counting.See all posts by nathan-eddy

Secure Coding Practices