Linux is a coveted target. It is the host operating system for numerous application backends and servers and powers a wide variety of Internet of Things (IoT) devices. Still, not enough is done to protect the machines running it.
"Linux malware has been massively overlooked," said Giovanni Vigna, senior director of threat intelligence at VMware. "Since most of the cloud hosts run Linux, being able to compromise Linux-based platforms allows the attacker to access an enormous amount of resources or to inflict substantial damage through ransomware and wipers."
In recent years, cybercriminals and nation-state actors have targeted Linux-based systems. The goal was often to infiltrate corporate and government networks or gain access to critical infrastructure, according to a recent VMware report. They leverage weak authentication, unpatched vulnerabilities, and server misconfigurations, among others.
Linux malware is becoming not just more prevalent but also more diverse. Security company Intezer looked at the code uniqueness of malware strains to see how innovative authors are. It found an increase in most malware categories in 2021 compared to 2020, including ransomware, banking trojans, and botnets.
"This increase in Linux targeting may be correlated to organisations increasingly moving into cloud environments, which frequently rely on Linux for their operation," according to a report. "The level of innovation of Linux malware came close to that of Windows-based malware."
As Linux malware continues to evolve, organisations need to pay attention to the most common attacks and harden security every step along the way. "While Linux can be more secure than other operating systems, it's important to note that an operating system is only as secure as its weakest link," said Ronnie Tokazowski, principal threat advisor at Cofense.
These are the six types of attacks on Linux to watch for:
1. Ransomware targets virtual machine images
In recent years, ransomware gangs have started to peek at Linux environments. The quality of the malware samples varies greatly, but gangs such as Conti, DarkSide, REvil and Hive are quickly upgrading their skill sets.
Typically, ransomware attacks against cloud environments are carefully planned. According to VMware, cyber criminals try to fully compromise their victim before starting to encrypt the files.
Recently, groups like RansomExx/Defray777, and Conti began to target Linux host images used for workloads in virtualised environments. "This new and worrisome development shows how attackers look for the most valuable assets in cloud environments to inflict the maximum damage," the VMware report read.
Encrypting virtual machine images hosted on ESXi Hypervisors is of particular interest to these gangs because they know they can significantly impact operations. It's "a common theme in the ransomware landscape to develop new binaries specifically to encrypt virtual machines and their management environments," a report by security company Trellix read.
2. Cryptojacking is on the rise
Cryptojacking is one of the most prevalent types of Linux malware because it can quickly produce money. "The intent of this software is to use computational resources to generate cryptocurrencies for an attacker," typically Monero, said Tokazowski.
One of the first notable attacks happened in 2018 when Tesla's public cloud fell victim. "The hackers had infiltrated Tesla's Kubernetes console, which was not password protected," according to cloud monitoring company RedLock. "Within one Kubernetes pod, access credentials were exposed to Tesla's AWS environment, which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry."
Cryptojacking has become more prevalent, with XMRig and Sysrv being some of the most prominent cryptominer families. A report by SonicWall showed that the number of attempts rose by 19 per cent in 2021 compared to 2020.
"For government and healthcare customers, this increase was in the triple digits, with cryptojacking growing 709 per cent and 218 per cent respectively," according to the document. The security company counted an average of 338 cryptojacking attempts per customer network, on average.
To target their victims, many gangs use lists of default passwords, bash exploits, or exploits that intentionally target misconfigured systems with weak security, according to Tokazowski. "Some of these misconfigurations can include directory traversal attacks, remote file inclusion attacks, or rely on misconfigured processes with default installs," he said.
3. Three malware families — XorDDoS, Mirai and Mozi — target IoT
The IoT runs on Linux, with few exceptions, and the simplicity of the devices can help turn them into potential victims. CrowdStrike reported that the volume of malware targeting gadgets operating on Linux increased by 35 per cent in 2021 compared to 2020.
Three malware families account for 22 per cent of the total: XorDDoS, Mirai, and Mozi. They follow the same pattern of infecting devices, amassing them into a botnet, and then using them to perform DDoS attacks.
Mirai, a Linux Trojan that uses Telnet and Secure Shell (SSH) brute-forcing attacks to compromise devices, is seen as the common ancestor to many Linux DDoS malware strains. Once its source code became public in 2016, multiple variants emerged. In addition, malware authors learned from it and implemented Mirai features into their own Trojans.
CrowdStrike noticed that the number of Mirai malware variants compiled for Intel-powered Linux systems more than doubled in the first quarter of the year 2022 compared to Q1 2021, with the largest increase in variants targeting the 32-bit x86 processors. "Mirai variants continuously evolve to exploit unpatched vulnerabilities to expand their attack surface," according to the report.
Another prosperous Linux Trojan is XorDDoS. Microsoft found that this threat rose by 254 per cent in the last six months. XorDDoS uses variants of itself compiled for ARM, x86 and x64 Linux architectures to increase the likelihood of a successful infection.
Like Mirai, it uses brute-force attacks to gain access to its targets and, once inside, scans for Docker servers with port 2375 open to gain remote root access to the host without the need for a password.
Mozi compromises its targets in a somewhat similar manner but to prevent other malware from taking its place, it then blocks the SSH and Telnet ports. It creates a peer-to-peer botnet network and uses the distributed hash table (DHT) system to hide its communication with the command-and-control server behind legitimate DHT traffic.
The activity of the most successful botnets remains consistent over time, according to Fortinet's Global Threat Landscape Report. The security company discovered that malware authors devote plenty of effort to ensuring that the infection is persistent in time, which means that rebooting the device should not erase the control the hacker has over the infected target.
4. State-sponsored attacks target Linux environments
Security researchers monitoring nation-state groups have noticed that they increasingly target Linux environments. "A lot of Linux malware has been deployed with the onset of the Russian-Ukraine war, including wipers," said Ryan Robinson, security researcher at Intezer. Russian APT group Sandworm allegedly attacked Linux systems of UK and U.S. agencies a few days before the attack started, according to Cyfirma.
ESET was among the companies that closely followed the conflict and its cyber security implications.
"A month ago, we've been looking at Industroyer2, an attack against a Ukrainian energy provider," said Marc-Étienne Léveillé, senior malware researcher at ESET. "This attack included Linux and Solaris worms that spread using SSH and perhaps stolen credentials. This was a very targeted attack which clearly had the objective of destroying data from databases and file systems."
The Linux wiper "destroys the whole content of the disks attached to the system by using shred if available or simply dd (with if=/dev/random) otherwise," according to ESET’s paper. "If multiple disks are attached, data removal is done in parallel to speed up the process." Together with CERT-UA, ESET attributed the malware to the Sandstorm APT group, which had used Industroyer in 2016 to cut power in Ukraine.
As for other nation-state actors, Microsoft and Mandiant noticed that multiple groups backed by China, Iran, North Korea and others had been exploiting the infamous Log4j flaw on both Windows and Linux systems to gain access to the networks they target.
5. Fileless attacks are difficult to detect
Security researchers at AT&T's Alien Labs saw that multiple actors, including TeamTNT, have started to use Ezuri, an open-source tool written in Golang. Attackers use Ezuri to encrypt malicious code. On decryption, the payload is executed directly from memory without leaving any traces on the disk, which makes these attacks difficult to detect by antivirus software.
The main group associated with this technique, TeamTNT, targets Docker systems that are not configured properly, with the purpose of installing DDoS bots and cryptominers.
6. Linux malware targets Windows machines
Linux malware can also exploit Windows machines through Windows Subsystem for Linux (WSL), a feature of Windows that allows Linux binaries to run natively on this OS. WSL must be installed manually or by joining the Windows Insider program, but attackers can install it if they have elevated access.
Cloud security company Qualys examined the feasibility of carrying out attacks or gaining persistence on a Windows machine by using WSL. It analysed two techniques so far, proxying execution and installing utilities, and concluded that both are highly feasible.
According to the company's security experts, organisations that want to protect against this type of attack can disable virtualisation and the ability to install WSL. It also helps to audit running processes in an ongoing manner.
Attackers also ported functionality from Windows tools to Linux, aiming to target more platforms. One example is Vermilion Strike, which is based on a popular penetration testing tool for Windows, CobaltStrike, but can be used to target both Windows and Linux.
Vermilion Strike offers attackers remote access capabilities, including file manipulation and shell command execution. The tool was used against telecom companies, government agencies, and financial institutions, and the main intent of the attackers was to conduct espionage.
Researchers at Intezer say in their report that "Vermilion Strike may not be the last Linux implementation" of the CobaltStrike Beacon.
Protecting against malware that targets Linux environments
Security is the weakest when sysadmins and developers race against time and deadlines. Developers, for instance, may trust community-sourced code blindly; they copy/paste code from Stack Overflow, run software quickly after cloning a GitHub repository, or deploy an app from Docker Hub directly into their production environment.
Opportunistic attackers take advantage of this "economy of attention." They add cryptominers to Docker containers or create open-source packages with names that are almost identical to heavily used libraries, taking advantage of the occasional spelling mistake on the part of developers.
"Exploitation of open Docker and Kubernetes deployments is pretty interesting: careless people leave their container deployments open to the world, and these installations are easily taken over and used as a bridgehead for further attacks or for other monetisation activity, such as Monero mining," said VMware's Vigna.
"I am an avid, evangelistic advocate of open source software and culture, but one thing that really gives me the heebie-jeebies is the fragility of the chain of trust involved in public software repositories," said Ryan Cribelar, vulnerability research engineer at Nucleus Security.
"This isn't a Linux-specific concern, of course, but a malicious library lurking in PyPi or NPM repositories, for example, will arguably cause the Linux admin and security teams the most sleep loss."
For Linux servers, misconfigurations are also a big issue, and it can happen at multiple points along one's infrastructure. "Commonly, firewall or security group settings are misconfigured to allow access to the wider internet, thus allowing external access to deployed applications on Linux servers," said Intezer’s Robinson.
Applications are commonly misconfigured to allow access without authentication or using default credentials.
"Depending on the misconfigured application, attackers will be able to steal information or run malicious code on the Linux server," Robinson added. "Common examples include misconfigured Docker daemons, allowing attackers to run their own containers or misconfigured applications that leak passwords and customer information, such as Apache Airflow." Robinson added that Default configuration often does not equate to secure configuration.
Joel Spurlock, senior director of malware research at CrowdStrike, sees another issue: patching. He argues that organisations are "either unable or unwilling to keep machines up to date." Patching should be done regularly, and buzzwords like EDR and zero trust should also be on the menu.
Malware targeting Linux environments thrives in a vast playground of consumer devices and servers, virtualised environments, and specialised operating systems, therefore the security measures necessary to protect all these require focus and meticulous planning.