As the popularity of Linux and UNIX-like operating systems has grown, so too has the attention from malicious actors seeking to exploit vulnerabilities. With the increasing adoption of these systems in various industries, they have become lucrative targets for cyber attacks. Consequently, the belief that Linux is immune to threats is dispelled as security breaches and incidents continue to rise. According to Trend Micro’s findings, there has been a notable development, with a “62% increase in Linux ransomware attack attempts from the first quarter of 2022 to 2023, marking a concerning trend“.

Prevalent malware families targeting Linux

1) Cons of Open Source – The open source nature of Linux allows for greater visibility into its codebase, enabling malware authors to identify vulnerabilities and develop exploits more easily.

2) The perception of Linux = Security – Linux servers are often perceived as more secure than other operating systems. Giving a false sense of safety can make Linux servers particularly vulnerable to exploitation if security best practices are not implemented and maintained.

3) Widespread adoption – Linux has gained significant traction in various sectors, including web hosting, cloud computing, and enterprise environments. Its scalability, flexibility, and cost-effectiveness have made it a preferred choice for many organizations. With more Linux servers deployed across diverse industries, there’s a larger attack surface for threat actors to target.

4) Large-scale impact – Linux emerges as a prime target for cyberattacks due to its potential for large-scale repercussions. The aftermath of such attacks not only disrupts organizations’ operations but also increases threat actors’ profits.

5) High-value targets – Linux servers often host critical applications, databases, and services essential for business operations. Breaching these servers can yield valuable data or cause widespread disruption, making them lucrative targets for threat actors seeking financial gain or geopolitical motives.

In the cybersecurity landscape, Linux threat actors aren’t just aiming at personal computers; they set their sights on mid to large organizations. Mid to large organizations typically operate numerous Linux servers that host critical services, databases, and applications essential for their daily operations. Targeting these organizations allows malware authors to potentially compromise a large number of systems and access valuable data or resources.

Moreover, mid to large organizations may have more complex and diverse IT infrastructures, including a mix of on premises and cloud-based systems. This complexity offers attackers a multitude of entry points and attack vectors to exploit. Consequently, these organizations exhibit larger attack surfaces and potentially weaker security postures, often stemming from factors like reliance on legacy systems, utilization of outdated software, or lapses in security practices.

XZ Utils supply chain backdoor attack

In late March 2024, a significant cybersecurity incident unfolded within the Linux community: an attempt to compromise the widely-used XZ Utils software package. This discovery owes much to the vigilance of a Microsoft developer. Here’s a breakdown of what you need to know about this incident.

XZ Utils is indispensable for Linux systems, efficiently compressing data much like the familiar zip program on Windows. Its role in saving storage space and streamlining software file distribution cannot be overstated.

Discovery of the Backdoor: During routine performance tests, a Microsoft developer noticed unusual delays in SSH processes, leading to the uncovering of a stealthy backdoor within XZ Utils.

The exploitation of this vulnerability appears to have been a meticulously planned operation by threat actors, spanning multiple years.

For brevity’s sake, let’s summarize the key stages of this attack:

• 2021: Emergence of GitHub persona “JiaT75.”
• 2022: JiaT75 infiltration into the XZ project community, gaining trust through GitHub contributions.
• 2023: Establishment as a pivotal contact within the XZ project, followed by the disabling of critical security features.
• The turning point: In 2024, the plot thickens with the exclusion of a specific macro from version control. March 2024 marks a critical juncture with the introduction of obfuscated backdoor binary files.

Unveiling the Backdoor’s Intentions: Embedded within XZ Utils versions 5.6.0 and 5.6.1, the backdoor tampered with sshd, the program responsible for SSH connections. It allowed individuals possessing a specific encryption key to implant custom code into SSH login certificates, opening the door to potential malicious activities such as espionage or malware deployment.

Fortunately, timely detection by a vigilant developer prevented widespread havoc. Nevertheless, this incident serves as a stark reminder of the persistent cybersecurity threats facing Linux systems.

SentinelOne’s recent discovery – AcidPour

Discovered by SentinelOne researchers in March 2024, AcidPour emerges as a new variant of the AcidRain data wiping malware, originating from Russia. This malicious software first gained notoriety during the ‘Viasat hack’ in March 2022, which disrupted Eutelsat KA-SAT modems at the onset of the Russian invasion of Ukraine. As SentinelOne says: “The new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices“.

Cryptocurrency mining and persistent access

Recently, Cado Security Labs has uncovered a fresh malware campaign targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, and Redis. Authors of this campaign deploy Golang binaries to exploit vulnerabilities within targeted systems. Once infiltrated, they execute Remote Code Execution (RCE) attacks, enabling them to seize control and initiate malicious activities. Upon gaining access, they swiftly install a cryptocurrency miner, harnessing the computational power of compromised servers for their own gain. Additionally, they establish persistent access through the deployment of shell scripts, ensuring prolonged control over the compromised infrastructure.

GTPDOOR – another Linux backdoor attack

A new Linux malware, GTPDOOR, has been found targeting global mobile networks, particularly telecom operators. Believed to be created by a Chinese group, it exploits vulnerabilities in outdated Red Hat Linux versions and critical telecom systems (like SGSN, GGSN, and P-GW). Once installed, leveraging exploits within outdated Linux distributions and critical telecom infrastructure, it allows attackers to access sensitive data and execute commands on compromised networks.

Linux threats will be appearing in various forms, each posing unique risks to organizations. From malware and ransomware targeting Linux servers to sophisticated backdoors infiltrating critical infrastructure, the diversity and complexity of Linux threats demand a comprehensive approach to cybersecurity.

In a landscape plagued by an increasing number of Linux threats, say goodbye to tedious manual interventions and endless investigations. With VMRay Platform products, you’ll streamline your workflow, reducing time spent on incident resolution and analysis. Try out DeepResponse or TotalInsight to stay ahead of Linux threats.

Having Linux support in the VMRay products:

• reduces the time spent on manual intervention & investigation
• decreases time to incident resolution
• minimizes time spent on triage & analysis
• provides accurate results (far beyond those obtained via freeware tools).

Linux ELF analysis availability in the VMRay products

Mirai – Linux bot analysis in the VMRay Platform

Further reading: 

For those seeking further insights on the XZ Utils supply chain attack, explore these curated resources:

https://www.theverge.com/2024/4/2/24119342/xz-utils-linux-backdoor-attempt

https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

https://infosecwriteups.com/why-you-should-care-about-the-xz-exploit-7144ca210160