Cyber criminals are increasingly targeting Linux servers and cloud infrastructure to launch ransomware campaigns, cryptojacking attacks and other illicit activity – and many organisations are leaving themselves open to attacks because Linux infrastructure is misconfigured or poorly managed.
Analysis from cybersecurity researchers at VMware warns that malware targeting Linux-based systems is increasing in volume and complexity, while there’s also a lack of focus on managing and detecting threats against them. This comes after an increase in the use of enterprises relying on cloud-based services because of the rise of hybrid working, with Linux the most common operating system in these environments.
That rise has opened new avenues that cyber criminals can exploit to compromise enterprise networks, as detailed by the research paper, including ransomware and cryptojacking attacks tailored to target Linux servers in environments that might not be as strictly monitored as those running Windows.
These attacks are designed for maximum impact, as the cyber criminals look to compromise as much as the network as possible before triggering the encryption process and ultimately demanding a ransom for the decryption key.
The report warns that ransomware has evolved to target Linux host images used to spin up workloads in virtualised environments, enabling the attackers to simultaneously encrypt vast swathes of the network and make incident response more difficult. The attacks on cloud environments also result in attackers stealing information from servers, which they threaten to publish if they’re not paid a ransom.
Ransomware families that have been seen targeting Linux servers in attacks include REvil, DarkSide and Defray777 and it’s likely that new forms of ransomware will appear that also target Linux.
Cryptojacking and other malware attacks are also increasingly targeting Linux servers. Cryptojacking malware steals processing power from CPUs and servers in order to mine for cryptocurrency.
The attacks against all operating systems often go undetected. While cryptojackers are using up energy and potentially slowing down systems, it’s usually not a noticeable enough drain to cause significant disruption.
The most common application used to mine for Monero is the open-source XMRig miner and many of these are being placed on Linux servers. If the Linux environment isn’t being correctly monitored, cryptojacking can easily go undetected and cyber criminals know this.
“Cyber criminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible,” said Giovanni Vigna, senior director of threat intelligence at VMware. Rather than infecting a PC and then navigating to a higher value target, cyber criminals have realised that compromising a single server can deliver a massive payoff.
Many of the cyberattacks targeting Linux environments are still relatively unsophisticated when compared with equivalent attacks targeting Windows systems – that means that with the correct approach to monitoring and securing Linux-based systems, many of these attacks can be prevented.
That includes cybersecurity hygiene procedures such as ensuring default passwords aren’t in use and avoiding sharing one account across multiple users.
“Focus on the basics. The fact is that most adversaries are not super advanced,” said Brian Baskin, manager of threat research at VMware.
“They’re not looking for unique exploits, they’re looking for the general open vulnerabilities and misconfigurations. Focus on those before you start focusing on zero-day attacks and new vulnerabilities – make sure you’ve got the basics covered first,” he added.