Outdated Linux Versions, Misconfigurations Triggering Cloud Attacks: Report

The “Linux Threat Report 2021 1H” from Trend Micro found that Linux cloud operating systems are heavily targeted for cyberattacks, with nearly 13 million detections in the first half of this year. As organizations expand their footprint in the cloud, correspondingly, they are exposed to the pervasive threats that exist in the Linux landscape.

This latest threat report, released Aug. 23, provides an in-depth look at the Linux threat landscape. It discusses several pressing security issues that affect Linux running in the cloud.

Key findings include that Linux is powerful, universal, and dependable, but not devoid of flaws, according to the researchers. However, like other operating systems, Linux remains susceptible to attacks.

Linux in the cloud powers most infrastructures, and Linux users make up the majority of the Trend Micro Cloud One enterprise customer base at 61 percent, compared to 39 percent Windows users.

The data comes from the Trend Micro Smart Protection Network (SPN) or the data reservoir for all detections across all Trend Micro’s products. The results show enterprise Linux at considerable risk from system configuration mistakes and outdated Linux distributions.

For instance, data from internet scan engine Censys.io revealed that nearly 14 million results for exposed devices running any sort of Linux operating system on July 6, 2021. A search for port 22 in Shodan, a port commonly used for Secure Shell Protocol (SSH) for Linux-based machines, showed almost 19 million exposed devices detected as of July 27, 2021.

Like any operating system, security depends entirely on how you use, configure, or manage the operating system. Each new Linux update tries to improve security. However, to get the value you must enable and configure it correctly, cautioned Joseph Carson, chief security scientist and advisory CISO at Thycotic.

“The state of Linux security today is rather good and has evolved in a positive way, with much more visibility and security features built-in. Nevertheless, like many operating systems, you must install, configure, and manage it with security in mind — as how cybercriminals take advantage is the human touch,” he told LinuxInsider.

Top Linux Threats

The Trend Micro Report disclosed rampant malware families within Linux systems. Unlike previous reports based on malware types, this study focused on the prevalence of Linux as an operating system and the pervasiveness of the various threats and vulnerabilities that stalk the OS.

That approach showed that the top three threat detections originated in the U.S. (almost 40 percent), Thailand (19 percent), and Singapore (14 percent).

Detections arose from systems running end-of-life versions of Linux distributions. The four expired distributions were from CentOS versions 7.4 to 7.9 (almost 44 percent), CloudLinux Server (more than 40 percent), and Ubuntu (about 7 percent).

Trend Micro tracked more than 13 million malware events flagged from its sensors. Researchers then cultivated a list of the prominent threat types consolidated from the top 10 malware families affecting Linux servers from Jan. 1 to June 30, 2021.

The top threat types found in Linux systems in the first half of 2021 are:

  • Coinminers (24.56 percent)
  • Web shell (19.92 percent)
  • Ransomware (11.56 percent)
  • Trojans (9.56 percent)
  • Others (3.15 percent)

The top four Linux distributions where the top threat types in Linux systems were found in H1-2021 are:

  • CentOS Linux (50.80 percent)
  • CloudLinux Server (31.24 percent)
  • Ubuntu Server (9.56 percent)
  • Red Hat Enterprise Linux Server (2.73 percent)

Top malware families include:

  • Coinminers (25 percent)
  • Web shells (20 percent)
  • Ransomware (12 percent)

CentOS Linux and CloudLinux Server are the top Linux distributions with the found threat types, while web application attacks happen to be the most common attack vector.

Web Apps Top Targets

Most of the applications and workloads exposed to the internet run web applications. Web application attacks are among the most common attack vectors in Trend Micro’s telemetry, said researchers.

If launched successfully, web app attacks allow hackers to execute arbitrary scripts and compromise secrets. Web app attacks also can modify, extract, or destroy data. The research shows that 76 percent of the attacks are web-based.

The LAMP stack (Linux, Apache, MySQL, PHP) made it inexpensive and easy to create web applications. In a very real way, it democratized the internet so anyone can set up a web application, according to John Bambenek, threat intelligence advisor at Netenrich.

“The problem with that is that anyone can set up a web app. While we are still waiting for the year of Linux on the desktop, it is important for organizations to use best practices for their web presences. Typically, this means staying on top of CMS patches/updates and routine scanning with even open-source tools (like the Zed Attack Proxy) to find and remediate SQL injection vulnerabilities,” he told LinuxInsider.

The report referenced the Open Web Application Security Project (OWASP) top 10 security risks, which lists injection flaws and cross-scripting (XSS) attacks remaining as high as ever. What strikes Trend Micro researchers as significant is the high number of insecure deserialization vulnerabilities.

This is partly due to the ubiquity of Java and deserialization vulnerabilities in it, according to Trend Micro. It’s report also noted that the Liferay Portal, Ruby on Rails, and Red Hat JBoss deserialization vulnerabilities as being prominent.

Attackers also try to use vulnerabilities where there is broken authentication to gain unauthorized access to systems. Plus, the number of command injection hits also poses a surprise as they are higher than what Trend Micro’s analysts expected.

Expected Trend

It is no surprise that the majority of these attacks are web-based. Every website is different, written by different developers with different skill sets, observed Shawn Smith, director of infrastructure at nVisium.

“There is a wide range of different frameworks across a multitude of languages with various components that all have their own advantages and drawbacks. Combine this with the fact that not all developers are security gurus, and you’ve got an incredibly alluring target,” he told LinuxInsider.

Web servers are one of the most common services to expose to the internet because most of the world interacts with the internet through websites. There are other areas exposed — like FTP or IRC servers — but the vast majority of the world is using websites as their main contact point to the internet.

“As a result, this is where attackers will focus to get the biggest return on investment for their time spent,” Smith said.

OSS Linked to Supply Chain Attacks

Software supply chains must be secured to deal with the Linux attack landscape as well, noted the Trend Micro report. Attackers can insert malicious code to compromise software components of third-party suppliers. That code then connects to a command-and-control server to download and deploy backdoors and other malicious payloads within the system, causing remote code.

This can lead to remote code execution to an enterprise’s system and computing resources. Supply chain attacks can also come from misconfigurations, which are the second top incident type in cloud-native environments, according to the Trend Micro report. More than 56 percent of their survey respondents had a misconfiguration or known unpatched vulnerability incident involving their cloud-native applications.

Hackers are having an easy time. “The major attack types on web-based applications have remained constant over the recent past. That, combined with the rising time-to-fix and declining remediation rates, makes the hackers’ job easier,” said Setu Kulkarni, vice president of strategy at NTT Application Security.

Organizations need to test applications in production, figuring out what their top three-to-five vulnerability types are. Then launch a targeted campaign to address them, rinse, and repeat, he recommended.

The “Linux Threat Report 2021 1H” is available here.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Security

CRM Buyer Channels

Reports Warn of Worsening Warfare From Cyber Criminals in 2022

Brace yourself, 2022 promises to bring expanded cyber confrontations as ransomware attacks gain the high ground.

A dangerous increase in ransomware attacks last year caused devastating compromises to government organizations, critical infrastructure, and businesses. Much of the increase resulted from cybercriminals becoming increasingly innovative and bold in their approach.

A report from Positive Technologies late last month found cybercriminals can penetrate 93 percent of local company networks and trigger 71 percent of events deemed ‘unacceptable’ for their businesses.

It takes an average of two days for cybercriminals to penetrate a company’s internal network. Researchers found that all the analyzed companies were susceptible to an intruder gaining full control over the infrastructure once inside the network.

Positive studied results of testing involving financial organizations (29 percent), fuel and energy organizations (18 percent), government (16 percent), industrial (16 percent), IT companies (13 percent), and other sectors.

Bugcrowd on Jan. 18 released its annual Priority One Report that revealed a 185 percent increase in high-risk vulnerabilities within the financial sector. It also revealed the increase in ransomware and the reimagining of supply chains that lead to more complex attack surfaces during the pandemic.

Ransomware Out of Control

Ransomware overtook personal data breaches as the threat that dominated cybersecurity news across the world at 2021’s end. Global lockdowns and remote work caused a rush to put more assets online, which led to an increase in vulnerabilities.

These reports show that all companies and organizations are now more susceptible to hacking and must double down on long-term cyber defense. Targets also involve individual consumers.

Ransomware is a major concern for everyone. Attackers can disrupt our daily lives whether they go after hospitals, gas pipelines, schools, or other businesses, warned Theresa Payton, former White House chief information officer and current CEO of cybersecurity consultancy firm Fortalice Solutions.

“Ransomware syndicates have no boundaries and do attack our personal systems and devices as well,” she told TechNewsWorld.

Another Case in Point

Hackers are buying space from major cloud providers to distribute Nanocore, Netwire, and AsyncRAT malware, according to a Jan. 12 Cisco Talos blog.

The threat actor, in this case, used cloud services to deploy and deliver variants of commodity remote access threats (RATs). Those deployments contained information-stealing capability starting around Oct. 26, 2021.

These variants are packed with multiple features to take control over the victim’s environment to execute arbitrary commands remotely and steal the victim’s information, according to Cisco Talos. The initial infection vector is a phishing email with a malicious ZIP attachment.

These ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file, or Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.

To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service.

Researchers Became Hackers

During the assessment of protection against external attacks, Positive Technologies experts breached the network perimeter in 93 percent of cases. This figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure, according to the company’s researchers.

“In 20 percent of our pentesting (penetration testing) projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those,” Ekaterina Kilyusheva, head of research and analytics at Positive Technologies, told TechNewsWorld.

According to Positive’s customers, events involving the disruption of technological processes and the provision of services, plus the theft of funds and important information, pose the greatest danger, she said. In total, Positive Technologies pentesters confirmed the feasibility of 71 percent of these unacceptable events.

“Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days,” Kilyusheva added.

An attacker’s path from external networks to target systems begins with breaching the network perimeter. It takes two days to penetrate a company’s internal network.

Credential compromise is the main way criminals can penetrate a corporate network for most companies. That high number results mainly because simple passwords are used, including for accounts used for system administration, according to Positive’s report.

Regarding security attacks on financial organizations, they are considered to be among the most protected companies, as part of the verification of unacceptable events in each of the banks Positive tested, noted Kilyusheva.

“Our specialists managed to perform actions that could let criminals disrupt the bank’s business processes and affect the quality of the services provided. For example, they obtained access to an ATM management system, which could allow attackers to steal funds,” she explained.

Key Cybersecurity Trends

Bugcrowd’s Priority One report spotlighted the key cybersecurity trends of the past year. These include the rise in the adoption of crowdsourced security due to the global shift to hybrid and remote work models and the rapid digital transformation associated with it.

The report reveals that the strategic focus for many organizations across industries has shifted, with the emphasis now on clearing residual security debt associated with that transformation.

Until now, highly advanced maneuvers and clandestine operations defined attack strategies. But this approach started to shift last year toward more commonplace tactics such as attacks on known vulnerabilities.

Diplomatic norms around hacking have weakened to the point where nation-state attackers are now less concerned with being stealthy than in the past, according to Bugcrowd.

Top highlights from the 2022 Priority One Report include:

  • Cross-site scripting was the most commonly identified vulnerability type
  • Sensitive data exposure moved up to the third position from the ninth on the list of the 10 most commonly identified vulnerability types
  • Ransomware went mainstream, and governments responded
  • Supply chains became a primary attack surface
  • Penetration testing entered a renaissance

An emerging ransomware economy and a continued blurring of lines between state actors and e-Crime organizations are changing the cyber threat landscape, according to Casey Ellis, founder and chief technology officer for Bugcrowd.

“All of which, combined with growing and more lucrative attack surfaces, have made for a highly combustible environment. In 2022, we expect more of the same,” he predicted.

To Pay or Not To Pay?

Cyber experts and some governments used to preach not paying a ransom. This is still a valid strategy, although not all government officials and cyber experts agree.

Not paying the ransom should be a global goal to disincentivize cybercrime syndicates. We have seen while our Fortalice Solutions team is responding to incidents that victims frequently do not want to pay the ransom, noted Payton. Still, their cyber liability insurance companies may deem it cheaper to pay the extortionists versus paying for a recovery effort. That is problematic.

“If someone has to pay, I do not judge the victim organization or victim shame because that does not solve the issue. But when considering payment, victims should know that payments, which averaged $170,000 (per Sophos research) do not assure full data recovery,” Payton said.

Sophos also found that 29 percent of affected companies failed to recover even half of their encrypted data, with only eight percent achieving full data recovery.

Historically, ransomware has targeted organizations with mission-critical data over individuals. But, if you have ever lost data to an old hard drive failure, you have felt the pain of a ransomware attack, according to Lisa Frankovitch, CEO of network management firm Uplogix.

It is much better to employ security best practices such as two-factor authentication, password managers, and encryption than having to determine if you should pay the ransom or not, she advised.

Impact on End Users

The biggest threat that cyberattacks pose to both businesses and consumers is downtime, noted Frankovitch. Whether your network has been breached or your personal identity has been stolen, the disruption and downtime can be catastrophic.

Gartner estimates that the average cost of a network outage is over $300,000 an hour,” she told TechNewsWorld.

Regarding security for enterprise networks, The U.S. National Security Agency (NSA) published guidelines on using out-of-band management to create a framework that improves network security by segmenting management traffic from operational traffic.

Ensuring that management traffic only comes from the out-of-band communications path, compromised user devices or malicious network traffic is prevented from impacting network operations and compromising network infrastructure, explained Frankovitch.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cybercrime