Like any other software, Linux is not free from security-related threats and risks. However, with Linux now prevalent as one of the most powerful operating systems on cloud platforms and servers worldwide, the risks posed by threats have taken on a different significance than they did years ago. The first part of this article presented the issues with vulnerabilities, misconfigurations and their potential consequences. In the meantime, all known types of malware, such as ransomware, cryptocurrency miners, rootkits for user and kernel mode, worms, Trojans, backdoors or remote access Trojans (RATs) can be found on these systems as well.
The motivation for the attacks is the same as for any other: financial gain, espionage, sabotage, hacktivism, or simply the need to prove that the systems can be compromised.
Ransomware needs no introduction. With millions of dollars having been paid to cybercriminals (both with and without success of decryption), it is by far the most successful category of malware in recent times. Given the prevalence of Linux, ransomware actors find the operating system to be a very lucrative target. More details here.
A relatively new motive for attackers involves infiltrating and abusing computing resources to mine for cryptocurrency. Cybercriminals can abuse cryptocurrency mining, an extremely resource-intensive activity, by infecting devices and systems with malicious miners in order to steal resources from their victims.
There is a fierce battle for resources, and a Linux crypto-mining malware can destroy other mining malware on the infected machine, execute arbitrary code via exploiting vulnerabilities, drive brute-force attacks, or abuse exposed service APIs. Coinminer.Linux.MALXMR.SMDSL64, was found to have been exploiting common vulnerabilities such as the SaltStack Authorization Bypass (CVE-2020-11651) and the SaltStack Directory Traversal (CVE-2020-11652), according to data from the Trend Micro™ Smart Protection Network™. More details include the original article.
A webshell is a script that an attacker drops into a web server, where it is designed to either help execute commands or simply provide direct access to compromised systems. In August 2020, security researchers found Ensiko, a PHP webshell that targets Linux, Windows, macOS or any other platform where PHP is installed. With this malware variant, attackers can not only execute code remotely, but also deface shell commands and websites.
Cybercriminals also use backdoors to gain access to critical systems. One example is Backdoor.Linux.KINSING.A, a Golang-based Linux agent that looks for misconfigured Docker Daemon API ports to run an Ubuntu container.
Rootkits are persistent threats that are intended to be hard to detect or observe. A rootkit’s main purpose is to keep itself and other malware threats unbeknownst, on one hand, to administrators, analysts, and users, and on the other, undetected by scanning, forensic, and system tools. Rootkits might also open a backdoor or use a C&C server and provide an attacker with ways to control and spy on an affected machine.
Security recommendations for Linux systems
As enterprises operate and innovate at unprecedented speeds, Linux usage is bound to become even more pervasive than it is now. More significantly, as more users and high-value enterprises rely on Linux for their online infrastructures and systems, it is inevitable that cybercriminals will also increasingly target Linux environments for financial gain.
Here are a few security recommendations to keep Linux systems secure:
- Adopt infrastructure as code (IaC) practices to ensure that systems are created properly and that their configurations remain as intended.
- Adopt the principle of least privilege and the shared responsibility model.
- Keep visibility at the forefront. Monitor all devices, systems, and networks.
- Replace default passwords with strong and secure ones. Always opt for multifactor authentication.
- Regularly patch and update systems
Trend Micro solutions
Trend Micro’s comprehensive XDR solution applies the most effective expert analytics to the deep data sets collected from Trend Micro solutions across the enterprise, making faster connections to identify and stop attacks. Powerful artificial intelligence (AI) and expert security analytics correlate data from customer environments and Trend Micro’s global threat intelligence to deliver fewer, higher-fidelity alerts, leading to better, early detection. One console with one source of prioritized, optimized alerts supported with guided investigation simplifies the steps to achieving a full understanding of the attack path and impact on the organization.
Cloud-specific security solutions such as Trend Micro Hybrid Cloud Security can help protect cloud-native systems and their various layers. Hybrid Cloud Security is powered by Trend Micro Cloud One™, a security services platform for cloud builders that provides automated protection for continuous integration and continuous delivery (CI/CD) pipelines and applications. It also helps identify and resolve security issues sooner and improve delivery time for DevOps teams. Cloud One includes:
- Workload Security: runtime protection for workloads
- Container Security: automated container image and registry scanning
- File Storage Security: security for cloud files and object storage services
- Network Security: cloud network layer for intrusion prevention system (IPS) security
- Application Security: security for serverless functions, APIs, and applications
- Conformity: real-time security for cloud infrastructure — secure, optimize, comply