Linux Malwares on the rise!

Linux being the host Operating System for infinite number of application backends, servers and also being a power house for a wide variety of Internet of Things (IoT) devices, it has become a coveted target!. Little did we know, that majority of the cloud hosts run on Linux & yet there are not enough measures taken to protect the machines that run on Linux. Compromising Linux - based platforms allows the attacker to access numerous resources or can also wreak substantial damage by enforcing Ransomware & Wipers.

Senior Director of Threat intelligence at VMware Giovanni Vigna stated that "Linux malware has been massively overlooked!". Recently cyber criminals have targeted Linux-based systems with the objective of infiltrating corporate & government networks and gaining access to the organization's critical infrastructure, based on the recent VMware report. Linux malwares are evolving and have become more diverse, wherein, there is a huge spike in the most malware categories in 2021 when compared to the past years which includes ransomwares, trojans & botnets.

Types of Linux attacks

There are six types of Linux attacks that are on the high rise which are as follows.

Ransomware on virtual machine images

Recently, ransomware groups have started to peek into Linux Environments, & attacks against the cloud based environments are carefully streamlined. As of VMware, the cybercriminals try and compromise their victim as the first move prior to encrypting the files. Encrypting virtual machine images hosted on ESXi Hypervisors gains more attention from the attackers because they are aware with the fact that they can significantly impact operations.

Cryptojacking

The most prevalent types of Linux malware, with the objective of generating cryptocurrencies for an attacker with the aid of computational resources. One of the first notable attack that occurred was back in 2018, where Tesla's public cloud fell victim.

XorDDoS, Mirai and Mozi

These malwares target IoT that run on Linux OS platforms which can help them turn into potential victims. XorDDoS, Mirai & Mozi follow the same pattern of infecting devices, accumulating them into a botnet, & utilizing to perform DDoS attacks.

• XorDDOs a prosperous Linux Trojan to maximize the chances of a successful attack, it leverages variations of itself built for ARM, x86, and x64 Linux architectures.
• Mirai a Linux trojan uses Telnet and Secure Shell (SSH) brute force attacks to compromise the devices and is the common ancestor to many other Linux DDoS malware variants.
• Mozi on the other hand attacks its targets in a similar way, but it subsequently blocks the SSH and Telnet ports to prevent other malware from taking its place. It generates a peer-to-peer botnet network and hides its connection with the command-and-control server behind normal DHT traffic using the distributed hash table (DHT) protocol.

State-sponsored attacks

Security researchers who had been monitoring nation-state groups have noticed that these groups have been increasingly target Linux based- environments. Ryan Robinson a security researcher on Intezer stated that "Numerous Linux malware has been deployed incl. wipers with the on-set of Russia-Ukraine war!". The Linux wiper can destroy the whole disk content attached to the system with the use of shred (a command that overwrites devices or files, & also to help prevent even extensive forensics from recovering the data) if available or simply use dd (with if=/dev/random) as stated by ESET.

File less attacks

Security Researchers from AT & T's alien labs have stated that multiple attackers have started to use Ezuri, an open-source tool which is written in Golang to encrypt malicious code. When being decrypted the payload of the malware is executed effectively without leaving any traces on the disk which makes it hard for the antivirus guard to detect.

Linux malware & Windows machines

Windows Subsystem for Linux (WSL - a feature that allows Linux binaries to run natively on Windows OS) feature allows Linux malware to exploit Windows machines. WSL can be installed by joining the Windows Insider program or can be manually installed. Qualys analyzed as to how feasible the attacks are / tried gaining persistence on a Windows machine by using a WSL which came up with two techniques as at now, which is proxying execution & installing utilities and concluded that both these techniques are highly feasible to perform a feasible attack.

Ways to protect against malware that targets Linux environments

Security has become a less focused factor when sysadmins and developers run behind deadlines. For instance, developers might trust community-sourced code such as copy/pasting codes from Stack overflow, Cloning and running Github repositories or a deploy an app from Docker Hub into their production environment. Little did we know that attackers use crypto miners to Docker containers and create open-source packages with names that are almost similar to heavily used libraries by taking advantage of this move from the developers. Malware that targets Linux settings evolves in a large landscape of consumer devices and servers, virtualized environments, and specialized operating systems, so the security measures required to defend them effectively necessitate focus and thorough preparation.