Linux environments have suffered a massive uptick in malware attacks over the past year, and bad actors are carrying out their attacks with the help of lots of different techniques. As an operating system that hosts various servers and backends for other applications, Linux has become the target of cybercriminals interested in compromising critical infrastructure.
Considering that Linux-targeted malware is on the rise and is becoming more sophisticated, organizations must understand which attacks they should look for and how best to secure their critical infrastructure along the way. To that end, let’s dive into what a Linux malware attack is, as well as the most common ones to keep an eye out for.
Most of the modern cloud environment’s hosts use Linux as an operating system, contributing to the recent rise in Linux-targeted malware attacks. Threat actors who successfully infiltrate Linux-based environments can compromise a vast array of sensitive assets and use ransomware to cause severe damage to critical infrastructure.
The past few years have seen bad actors attacking Linux-based systems to gain access to networks and compromise critical infrastructure. These attacks have been successful thanks to vulnerabilities and issues with authentication and server configurations. In fact, these attacks have not only been distressingly successful but are diversifying, too. Malware strains targeting Linux-based platforms have been increasing in categories such as trojans and ransomware since 2020.
As more organizations migrate to cloud-hosted environments that use Linux to operate, it’s likely that Linux malware attacks will continue to surge. As code uniqueness found in Linux-targeting malware strains continues to increase, it’s essential that organizations understand which attacks to look out for and how best to defend against them.
To that end, let’s look at some of the most common types of Linux malware.
Ransomware gangs have recently begun to sniff out Linux-based environments vulnerable to attacks. And while many malware samples aren’t exactly impressive in quality, hazardous groups such as Hive, Conti, and others are actively improving the quality of their malware.
Ransomware that compromises cloud-hosted environments is typically planned out thoroughly, and skilled threat actors will attempt to ultimately compromise an environment before encrypting compromised files.
Ransomware that compromises cloud-hosted environments is typically planned out thoroughly, and skilled threat actors will attempt to completely compromise an environment before encrypting compromised files. In particular, cybercriminals now seem interested in targeting virtual machine images that are used for workloads. This interest indicates that threat actors are on the prowl for precious resources hosted in cloud environments in order to inflict as much damage as possible.
Certain platforms can provide Linux workloads running in both cloud-based and on-premises environments with defenses against malware attacks. Some of these platforms now use machine learning and artificial intelligence to provide organizations with the necessary context and visibility to identify malware attacks on their workloads — the number of platforms that use machine learning to do this is likely to increase in light of the fact that the market for machine learning’s CAGR is expected to reach nearly 39% between 2022 and 2029.
Among Linux-targeted malware attacks, cryptojacking is one of the most pervasive. Cybercriminals stand to make quite a bit of money from cryptojacking — if successful, they’re able to generate cryptocurrency by using their malware’s computational resources.
Cryptojacking caught the public eye in 2018 after Tesla’s public cloud suffered an attack. Hackers compromised the company’s Kubernetes console due to a lack of password protection and, from there, gained access to sensitive data.
Gangs that use cryptojacking malware will often target victims with the help of default password lists or exploits that compromise poorly secured systems that have been unintentionally misconfigured. Once threat actors have successfully installed and executed their malware, they can sit back and watch as cryptocurrency is mined for them.
Unfortunately for device owners, cryptojacking malware often goes unnoticed since it’s designed to mine for cryptocurrency in the background — they may only notice that their device is suddenly running more slowly. Organizations can keep an eye out for signs such as a sudden surge in their device’s CPU usage and device overheating. Antivirus software can keep malicious crypto manners from running their malware and will make it easier to detect attacks earlier on.
Security experts who keep an eye on nation-state organizations have been reporting that nation-state groups are doubling down on their attacks against Linux environments. The Russian-Ukraine war, in particular, appears to be contributing toward an uptick in Linux-targeted malware.
Media reports have, in the past, pointed to Russia as the culprit behind cyberattacks in the wake of its Crimea invasion, as well as more recent attacks in Ukraine. These attacks were reportedly carried out with the intent of shaking up communications, and Russian state-sponsored gangs of cybercriminals continue to stoke the anxieties of Western governments.
Companies that have been diligently monitoring the Russia-Ukraine war have reported instances of Solaris and Linux worms using the Secure Shell Protocol as well as compromised access credentials in order to spread rapidly. These attacks are carried out with the obvious intent to destroy sensitive information held within file systems and databases.
Security researchers have pointed to groups of cybercriminals using the open-source, Golang-written Ezuri tool to encrypt malicious code. Once it’s been decrypted, the malicious code leaves no traces on the disk since it is executed from memory, thereby making it nearly impossible for antivirus software to detect. The group mainly associated with this file-less technique of attack is called TeamTNT, which attacks improperly configured Docker-based systems to install crypto miners and DDoS bots.
To protect against Linux-targeted malware, developers and system administrators would do well to remember to avoid a certain “economy of attention”: they should avoid racing against time whenever possible and cultivate an environment that cautions against blind trust in things such as community-sourced code.
Cybercriminals have all the time in the world to pounce on this “economy of attention,” and they are patient enough to wait for something like a developer mistakenly leaving a container deployment vulnerable to the public that can be used as a spearhead for other attacks.
It’s also important that organizations pay particular attention to security group settings and firewalls that their Linux servers use, lest they invite external access to applications that are deployed on their servers. Linux-targeted malware does best in an environment of servers and consumer devices, specialized operating systems, and virtual environments; take great care to invest in thoughtful and thoroughly planned security measures that protect these things.