Linux Malware Attacks are Increasing, and Businesses Aren't Ready

ZDNet reports: Cyber criminals are increasingly targeting Linux servers and cloud infrastructure to launch ransomware campaigns, cryptojacking attacks and other illicit activity — and many organisations are leaving themselves open to attacks because Linux infrastructure is misconfigured or poorly managed. Analysis from cybersecurity researchers at VMware warns that malware targeting Linux-based systems is increasing in volume and complexity, while there's also a lack of focus on managing and detecting threats against them.

This comes after an increase in the use of enterprises relying on cloud-based services because of the rise of hybrid working, with Linux the most common operating system in these environments. That rise has opened new avenues that cyber criminals can exploit to compromise enterprise networks, as detailed by the research paper, including ransomware and cryptojacking attacks tailored to target Linux servers in environments that might not be as strictly monitored as those running Windows. These attacks are designed for maximum impact, as the cyber criminals look to compromise as much as the network as possible before triggering the encryption process and ultimately demanding a ransom for the decryption key.

The report warns that ransomware has evolved to target Linux host images used to spin up workloads in virtualised environments, enabling the attackers to simultaneously encrypt vast swathes of the network and make incident response more difficult. The attacks on cloud environments also result in attackers stealing information from servers, which they threaten to publish if they're not paid a ransom.... Cryptojacking and other malware attacks are also increasingly targeting Linux servers. Cryptojacking malware steals processing power from CPUs and servers in order to mine for cryptocurrency....

Many of the cyberattacks targeting Linux environments are still relatively unsophisticated when compared with equivalent attacks targeting Windows systems — that means that with the correct approach to monitoring and securing Linux-based systems, many of these attacks can be prevented. That includes cybersecurity hygiene procedures such as ensuring default passwords aren't in use and avoiding sharing one account across multiple users.

What did you expect?

[Rosco P. Coltrane]

Company choose Linux (or rather, Linux + GNU + whatever-open-source) because it's free and they don't have to license anything. Typical example: Google built Android on the backs of open-source developers and didn't pay them a cent for their work.

Net result: stuff that ends up getting used by everybody and has become critical infrastructure is often maintained by a single guy, or a few guys, for free, in their spare time, with no salary and no thanks to show for their work. And now "security specialists" -

Re:What did you expect?

[Klaxton]

The recommendations were "ensuring default passwords aren't in use and avoiding sharing one account across multiple users". Code quality isn't involved when you can simply guess the account passwords and log on.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Z00L00K]

There's always some single point of failure involved in the computer industry, at least with open source you have a chance to survive if that single guy bites the dust.

Re:

[drinkypoo]

Typical example: Google built Android on the backs of open-source developers and didn't pay them a cent for their work.

They paid them in the coin which they demanded, source code for their improvements. Consequently, Google paid EVERY CENT that was expected. Or did you think that Google released OSS Android out of goodness?

Net result: stuff that ends up getting used by everybody and has become critical infrastructure is often maintained by a single guy, or a few guys, for free, in their spare time, with no salary and no thanks to show for their work.

They can choose to stop at any time. The OSS community will route around the problem either by forking and maintaining, or replacing.

Re:

[drinkypoo]

Where has this actually been happening rather than projects just stop being maintained but because they still exist in an unmaintained state people just keep using them?

LineageOS is one good example of an abandoned project (CyanogenMod) being picked up and brought back to full life.

Re:

[jd]

Microsoft released Windows XP with so many known defects that their bug tracker at the time could only report the first 65,536 of them. Microsoft's OS, even now, has a defect density somewhere between 10x and 100x that of Linux. Microsoft never managed better than a C3 rating under the Orange Book system. And you complain about Linux.

Re:

[mspohr]

65K should be enough for anyone.

Re:

[blarkon]

Typical Slashdot comment - rather than address the problem (Linux requires extraordinary skills to properly configure in a secure manner) you instead squeal about Microsoft. No need to make LINUX BETTER if you can just WHINGE ABOUT MICROSOFT.

Re:

[theshowmecanuck]

I like Linux, but was thinking this same thing. It is not an easy thing to manage properly. I think about Novell Netware when they didn't think they needed to listen to customers to make their system less cryptic and make it easier to use. They didn't do either. And in the end people stopped buying it and started using Windows networking tools. Linux is free as in beer but the people with the skillset to manage it are not, and they are in short supply. It might become used less unless it is easier to use sa

Re:

[Bert64]

Linux isn't any more difficult to properly configure than windows, if anything it's considerably simpler.

A lot of people make the same common mistakes across both platforms - poor passwords, password reuse, falling victim to phishing, running services with excessive privileges, poor logging/allerting so they dont notice attacks, not applying updates for known holes etc.

Re:

[ctilsie242]

Extraordinary skills? Like put in a USB flash drive or ISO, boot to it, and run the installer?

Linux is pretty good at security. There are a lot more Linux servers out there than Windows, and if Linux were as often compromised as Windows, we would definitely be noticing the mass screaming as opposed to a firm pointing out that malware attacks are up.

Most mainstream Linux distributions ship decently secure out of the box. Ubuntu doesn't have a SSH server on the desktop unless explicitly enabled. Ubuntu se

Linux has many of the same issues as Windows

[martynhare]

* Proper pass the hash mitigations have not even been attempted
* Still no proper per-application outbound firewalling by default
* GUI apps are still insecure and not properly isolated from one another
* Unsigned binaries are permitted to execute, as are unsigned scripts
* No per-file encryption keys, despite toy OSes like iOS having this
* No way to truly attest to the security of the system partition to a third party
* No way to revoke access to compromised software or force updates
* No way to au

Re:

[jd]

Perhaps, and this is a stretch because you'd otherwise have read the post, you'd have noticed there isn't a whole lot in there about not making Linux better but rather complaining about releasing software with a large catalogue of known defects.

Perhaps, and since your UID has rather more digits than mine, you haven't been here long enough to know that I've never been a fan of stupidly flawed software, be it under the Linux brand, the OpenBSD brand, the Microsoft brand or even the Plan9 brand. And, yes, I do

Re:

[jd]

Well, it's hardly a Wondows fanboy post, and if you'd been on Slashdot for long enough to recognize what a 4-digit UID indicates, you'd know better than to not read a post and assume that you could get away with looking at one or two words.

No shit sherlock

[stooo]

>> Cyber criminals are increasingly targeting Linux servers

No shit sherlock.
Are there any windows servers left to attack ? with valuables to retrieve ?
No ?
Then it's logical to attack Linux servers.

Re:

[wv5k]

What I wouldn't give for Mod points today... ;-)

So don't use vmware, duh

[Anonymous Coward]

The report warns that ransomware has evolved to target Linux host images used to spin up workloads in virtualised environments...

Don't use vmware as a cloud. Duh.

Don't use a cloud. Duh.

[stooo]

Don't use a cloud. Duh.
Ger a blue sky.

Obvious answer

[jargonburn]

This is why I run everything in Hyper-V!
ha ha

Re:

[Nrrqshrr]

Will 2022 be the year of TempleOS?

So they are targeting the Linux

[oldgraybeard]

VMWare repackaged? if you have looked at VMWare ESXi. it is a little surprising they don't need to publish or disclose anything. Kind of looks like a re rolled Linux. But hey! Their not getting sued! So must be OK.

Re: So they are targeting the Linux

[ccady]

I am confused. Don't the vulnerabilities lie in the proprietary ESXi software?

Re:

[oldgraybeard]

Exploit in ESXi Interesting? The secure part(Linux), is the part where VMWare's use always felt a little icky to me.

Blaming the victim?

[Larsen E Whipsnade]

Oh, it's not configured and maintained properly. This sounds like the argument that pointer unsafe languages are fine, just don't wrote stray pointer bugs.

(I'm assuming for the sake of argument that TFA isn't overhyped.)

Cloud computing is a bad idea, for starters. Don't do cloud. Just don't. Offsite backups, yes. Cloud, hell no.

The rest is on the corporations who make the enterprise Linux distros. Make them secure by default, and make them hard to misconfigure. Lock them down, so to speak. Because enterpris

Re:

[Z00L00K]

A support contract becomes a protection racket as soon as your system stops working if you stop paying.

If you run your own system and don't need support 24/7 but just occasionally then it can be cheaper to just call in your local IT pro by the hour.

Unfortunately with cloud computing the number of IT pros are declining. And that may be the ultimate goal for the big cloud computing services - kill off all local IT knowledge and concentrate that to a few data centers.

Re:

[stwrtpj]

Unfortunately with cloud computing the number of IT pros are declining. And that may be the ultimate goal for the big cloud computing services - kill off all local IT knowledge and concentrate that to a few data centers.

Not necessarily. It depends on the company. I'm in a devops group that manages our company's resources in AWS, and we hire only people who can demonstrate a clear and deep understanding of linux administration and at least basic security skills (and even then we send them off for training). We don't just toss stuff into the cloud and hope it stays secure. We take great pains to lock everything down as much as possible and to run the proper tools that monitor our deployments and let is know if anything is co

Re:

[Average]

Not necessarily. It depends on the company. I'm in a devops group that manages our company's resources in AWS, and we hire only people who can demonstrate a clear and deep understanding of linux administration and at least basic security skills (and even then we send them off for training). We don't just toss stuff into the cloud and hope it stays secure.

You and, by-and-large, everyone else. To me, that's a big problem with high automation, cloud, etc. How did I get started 20-plus years ago? Editing BIND zones. Manually configuring ifconfig settings. Editing Apache rules. Configuring sendmail (shudder). Eventually provisioning servers from "insert the RAM the right way" to production.

All those entry-level tasks are now no longer jobs. They're an API call, set up by some deeply experienced Linux admin, probably in Terraform or Ansible code. We don't hir

Re:

[Bert64]

Yes people know how to use scripts or APIs provided by someone else, but they lack the basic knowledge of what's actually happening under the hood. As soon as something isn't working, they have no ability to diagnose what the problem is or fix it themselves - or in some cases even notice that there's a problem.

Re:

[wv5k]

Again (from a previous post), what I wouldn't give for Mod points today...

Re:Blaming the victim?

[ChatHuant]

Unfortunately with cloud computing the number of IT pros are declining.

I'd like to point out that a similar trajectory was followed by pretty much any industry. People used do dig their own wells or built their own cisterns, but now hardly anybody does that anymore; instead we all get water from somebody else's reservoirs, flowing through somebody else's pipes - and those reservoirs and pipes are designed and maintained by specialized people, more skilled in their domain than the vast majority of village well diggers. We don't make our own candles anymore either - we rely on somebody else's power plants and power distribution infrastructure. Few of us still raise their own pig or cow; we let specialist farmers do this - and again, those specialists are more knowledgeable and productive than most amateur farmers.

It boils down to economy of scale. For most things it's not economical to do things at the local level. The same applies to the cloud. Many small businesses can't afford a dedicated IT specialist - so either they do without one, with the associated security or failure risks or else they go to the cloud.

The same process happened again and again, in all kinds of industries. It has now reached IT. It sucks for the itinerant journeyman IT worker, who will see himself obsoleted - just as it happened with the saddle-makers of yore - but, on the whole, I believe more people will profit from computing becoming just another utility.

Re:

[arfonrg]

Wells and pipes aren't entrances into your house. Things like that can be outsourced and you don't need to worry about break-ins and theft.

Things that are security risks should NOT be outsourced because the providers generally provide systems that do the most for the most people and generally don't care about YOUR security needs.

If you host critical systems on other people's hardware, you're a fool.

Re:

[arfonrg]

...and if you don't spend the money on IT to host your own (securely), you shouldn't be doing an IT operation.

Re:

[ChatHuant]

Wells and pipes aren't entrances into your house. Things like that can be outsourced and you don't need to worry about break-ins and theft.

Pipes aren't entrances to your house, but your network connection to the cloud is? That makes no sense whatsoever. And I'll note that some pipes, like air ducts *could* be entrances to your house. No fiber or cable network can.

If you happen to live in an area where you need to worry about break-ins, then putting your applications in the cloud makes even more sense. What happens if you keep your servers local and your house or office gets broken in or burglarized? You'll lose all your business, and maybe exp

Re:

[arfonrg]

"Pipes aren't entrances to your house, but your network connection to the cloud is? That makes no sense whatsoever."

I can't believe that I'm having to explain YOUR example to you.... Your assertion: "that people now hire people to maintain pipes [is analogous to network security]” ...is completely inaccurate because you're ignoring the whole point of the original posting: security

Residential pipes are NOT a home security risk. No one is going to gain access into your house through a ½” wa

Re:

[Paul Carver]

Let's talk about YOUR data center

MY data center? You mean the one I live in 24 hours per day and guard with my stockpile of weapons while scanning the logs manually because I don't trust anyone else? Or the one that I trust other people to guard and secure?

What difference does it make whether my company pays those people via W2, 1099 or B2B purchase order/billing? There are plenty of W2 employees who talk shit about their employer and are perfectly willing to engage in theft or sabotage. Simply paying people via direct paycheck as W2 emplo

Re:

[arfonrg]

"MY data center? You mean the one I live in 24 hours per day and guard with my stockpile of weapons while scanning the logs manually because I don't trust anyone else? Or the one that I trust other people to guard and secure?"

If that's your data center then, no. You are absolutely running your IT operations wrong. You are not much better than the 'big-box data centers'.

"What difference does it make whether my company pays those people via W2, 1099 or B2B purchase order/billing? There are plenty of W2 employ

Re:

[Paul Carver]

YOUR competent IT people have more control over your security

What makes them "MY" competent IT people? Does a W2 make them mine but a 1099 doesn't? Are they still "MINE" if they use software that somebody else wrote in order to do their job?

If I use a firewall and/or IDS that I bought from a company that provides frequently updated signatures is that less "MINE" than if I pay a W2 employee to write all the signatures from scratch based on their own research? Maybe, but can every company afford to dedicate one or more employees to writing IDS signatures full time inst

Re:

[Canberra1]

Ding Ding - Correct. And the number of 'Experts' is growing where their sum knowledge is pick that brand-name, or product 'stack'. Details like security, patches or backups, are just vague concepts. Management is still getting its revenge on the backroom boffins in white cotton coats who kept saying 'No'. That image has now changed to 'Silicon Valley' snot-noses who expect CEO remuneration, and overpaid backroom administrators who just seem to be recurrent expenses. Respected consulting companies say 'Sack

Re:

[Gravis Zero]

I hate cloud computing but they are not blaming the victim. No cloud service can ensure your configurations are always going to be secure because they don't know what you are doing. For all they know, you want those exposed files to be accessible to the world. Furthermore, you get what you pay for and nothing more. If you want a 100% managed system that is secure then you can pay for that service but that's not what cloud providers are for.

This is on businesses, not the service providers.

Re:

[gweihir]

If you run a Linux server without competent system administration, you are not a victim. You are part pf the problem and are doing it to yourself.

Re:

[Bert64]

Most linux distros are fairly secure by default - only SSH listening on a server distro, forces you to set a custom root password, all software is package managed and centrally updated.
Insecurity usually creeps in through actions taken by the user, not due to inherent weaknesses in the distro.

So is it the year of the Linux desktop yet?

[mark-t]

[nt]

Re:

[Tablizer]

If this keeps up, it'll be Year of the Windows Server :-)

Say it ain't so!

[Gravis Zero]

You're telling me that businesses aren't adequately investing in security? It cannot be! You are telling me that that a business would make such shortsighted decision just to make a few more bucks? That can't be capitalism, you must be thinking of the communists with their free computer and free softwa-OH GOD! You bastards did it! YOU TURNED US INTO COMMUNISTS! /s

Article gives no clues as to how it is deployed

[mark-t]

Does it exploit kernel or other vulnerabilities, or what?

It's entirely unclear if simply being patched to latest levels is adequate, or if the malware is deployed onto a Linux system through social engineering mechanisms.

Re:

[gweihir]

Typically, no. It exploits misconfiguration and missing patches. Social engineering seems to be rare on Linux. As to patching, maybe read your distro's security feed? Even on Linux patching a vulnerability needs some time (much faster than on Windwoes usually though), and propagation to your distro may need some time as well.

Re:

[Aighearach]

Does it exploit kernel or other vulnerabilities, or what?

It's entirely unclear if simply being patched to latest levels is adequate, or if the malware is deployed onto a Linux system through social engineering mechanisms.

If it even required being patched, they would have made it clear.

This is saying that Linux doesn't protect you from password-sharing or default passwords, and the malware people are simply building payloads for linux. Payloads for linux is the only linux-related part of the story.

Low-hanging fruit

[bill_mcgonigle]

If you use unattended updates and monitor the age of your dpkg.log then your systems generally aren't worth fussing with. Plenty of people don't do either and give the criminals tremendous free computing resources.

Switching back to Windows

[ayesnymous]

Just switched all our servers to Linux, but switching back to Windows on this news.

Re:

[Anne Thwacks]

but switching back to Windows on this news.

This is almost certainly the No 1 way of compromising Linux!

And

[Impy the Impiuos Imp]

15 years ago I pointed out, in response to pithy statements as to how invulnerable Linux was compared to Windows that, if Linux had anywhere near Windows' installed base, it would be the focus of attention of thousands of hackers worldwide, and would not seem so secure anymore.

I would get modded down.

Let's see if that still happens.

Re:

[arfonrg]

"if Linux had anywhere near Windows' installed base, it would be the focus of attention of thousands of hackers worldwide, and would not seem so secure anymore."

Three problems with that statement-

1) Linux has a far larger enterprise user base than windows. Enterprise is where the gold is. Hacking grandma's windows ME machine is what script kiddies go after. Even with the larger user base, 90% of Linux exploits require the user to be stupid.

2) Windows runs ALOT of garbage processes with alot of open ports