Linux malware on the rise
With Linux frequently used as the basis for cloud services, virtual-machine hosts, and container-based infrastructure, attackers have increasingly targeted Linux environments with sophisticated exploits and malware.
New analysis, based on telemetry collected from attacks on VMware customers, shows an increasing number of ransomware programs targeting Linux hosts to infect virtual-machine images or containers; more use of cryptojacking to monetize illicit access; and more than 14,000 instances of Cobalt Strike — 56% of which are pirated copies used by criminals or thrifty companies that have not bought licenses. The red-team tool has become so popular as a way to manage compromised machines that underground developers created their own protocol-compatible version of the Windows program for Linux, VMware states in a newly released report, “Exposing Malware in Linux-based Multi-Cloud Environments.”
While attackers may not be shifting from Windows to Linux, the level of activity shows that they are increasingly targeting Linux as well, says Brian Baskin, lead for VMWare’s Threat Analysis Unit (TAU) group.
“Most research has been focused on the Windows side, but we are now seeing an increase in attacks on the Linux side and especially against multicloud infrastructure,” he says. “Most of the cases we see involve misconfiguration at the hypervisor level or, at the server level, shared accounts, shared passwords, and poorly configured role-based access controls.”
Initial access is often not through exploitation but through credential theft. While remote code execution is the second most popular way to breach such systems — such as exploitation of the prevalent Log4j vulnerabilities — stolen credentials often give attackers more time to explore inside a victim’s network, says Giovanni Vigna, senior director of threat intelligence at VMware.
“The main attack surface area is still stolen credentials, which has the advantage that it takes a longer time to understand that a compromise has happened,” he says. “The login could seem absolutely normal and an attacker gets access to resources, but it’s not until things start going in the wrong direction that the breach is actually identified.”
Ransomware Alert
Following initial access, however, a variety of Linux-based malware is brought to bear. From ransomware, to crypto-miners, to implants from remote access management software, such as Cobalt Strike, attackers have developed a broad range of tools with which to compromise and monetize compromised Linux systems.
To read the complete article, visit Dark Reading.