ARN

Step aside, Windows! Open source and Linux are IT’s new security headache

The Equifax breach is the latest example of attackers targeting open-source software in the enterprise.

Windows has long been the world’s biggest malware draw, exploited for decades by attackers. It continues today: The Carbon Black security firm analyzed 1,000 ransomware samples over the last six months and found that nearly 99% of them targeted Windows.

That’s not news for IT administrators, of course. But this might be: Linux and other open-source software are emerging as serious malware targets. Several recent highly publicized attacks exploit holes in open-source software that many enterprise admins once considered solidly safe.

Let’s start with the big one: the recently disclosed Equifax break-in that resulted in the private information of 143 million people being stolen, including Social Security numbers, birth dates, addresses and more. Typically, when you find the cause of a breach like this, it involves Windows. That’s not the case with the Equifax hack, though.

A web application vulnerability in the widely used open-source Apache Struts web development framework allowed attackers to break into Equifax and do their damage. The framework is used by many enterprises in education, government, financial services, retail and media. Even though the vulnerability was first discovered and patched back in early March, Equifax didn’t install the patch until after it found it had been hacked.

Sound familiar? It should. That’s typically how Windows attacks proceed — enterprises don’t get around to patching Windows to close security holes, and hackers take it from there. A recent study by Adaptiva, which offers security and management solutions for network endpoints, found that 49% of all enterprises surveyed said that their biggest security challenge was keeping Windows and Windows applications updated. And 59% said it takes a month or more to update Windows throughout their enterprise.

It appears as if Linux and open source are becoming a similar security headache for companies. Ian Folau, CEO of GitLinks, which specializes in security for open-source software, warns in an InfoWorld blog that at least half of all Fortune 100 companies use Struts. He adds, “Less than 10 percent of companies are monitoring open source in their company, so even if these companies wanted to update their versions of Struts, they would have a hard time figuring out which applications were using Struts.” He believes that many other attacks will be launched using the Struts vulnerability because it will remain largely unpatched.

The Equifax attack isn’t the only big one involving open source or Linux to have emerged recently. The “BlueBorne” attack vector exploits vulnerabilities in Bluetooth implementations. It can be used to take over a device and use it to spread malware or ransomware and become part of a botnet. At risk are almost 5.3 billion devices worldwide that use Windows, iOS, Android and Linux-based operating systems.  Among the Linux devices that are at risk are Samsung's Gear S3 smartwatch, a number of Samsung televisions, some models of drones and many Tizen devices, as well as some Linux desktop PCs and servers.

Some industry watchers predict even more attacks targeting open source and Linux in the enterprise.  A Carbon Black blog post, “7 Predictions for Ransomware’s Evolution,” warns, “We believe ransomware will increasingly target Linux systems in an effort to further extort larger enterprises. For example, attackers will increasingly look to conduct SQL injections to infect servers and charge a higher ransom price. We have already observed attacks hitting MongoDB earlier this year, which provide an excellent foreshadowing.”

The attacks Carbon Black mentioned happened this past January, when open-source MongoDB databases around the world were hacked and data was taken from them and held for ransom.

All this isn’t to say that Linux represents a greater threat to enterprises than does Windows. Windows is dominant in the enterprise, and as long as that’s the case, it will remain the primary target. But attackers have a way of going after low-hanging fruit, and IT admins aren’t as used to open-source software being under attack as they are Windows. So expect more, larger attacks on open source and Linux in the enterprise as IT admins try to figure out how to protect them as well as Windows.