Outdated Linux Versions, Misconfigurations Triggering Cloud Attacks: Report

The “Linux Threat Report 2021 1H” from Trend Micro found that Linux cloud operating systems are heavily targeted for cyberattacks, with nearly 13 million detections in the first half of this year. As organizations expand their footprint in the cloud, correspondingly, they are exposed to the pervasive threats that exist in the Linux landscape.

This latest threat report, released Aug. 23, provides an in-depth look at the Linux threat landscape. It discusses several pressing security issues that affect Linux running in the cloud.

Key findings include that Linux is powerful, universal, and dependable, but not devoid of flaws, according to the researchers. However, like other operating systems, Linux remains susceptible to attacks.

Linux in the cloud powers most infrastructures, and Linux users make up the majority of the Trend Micro Cloud One enterprise customer base at 61 percent, compared to 39 percent Windows users.

The data comes from the Trend Micro Smart Protection Network (SPN) or the data reservoir for all detections across all Trend Micro’s products. The results show enterprise Linux at considerable risk from system configuration mistakes and outdated Linux distributions.

For instance, data from internet scan engine Censys.io revealed that nearly 14 million results for exposed devices running any sort of Linux operating system on July 6, 2021. A search for port 22 in Shodan, a port commonly used for Secure Shell Protocol (SSH) for Linux-based machines, showed almost 19 million exposed devices detected as of July 27, 2021.

Like any operating system, security depends entirely on how you use, configure, or manage the operating system. Each new Linux update tries to improve security. However, to get the value you must enable and configure it correctly, cautioned Joseph Carson, chief security scientist and advisory CISO at Thycotic.

“The state of Linux security today is rather good and has evolved in a positive way, with much more visibility and security features built-in. Nevertheless, like many operating systems, you must install, configure, and manage it with security in mind — as how cybercriminals take advantage is the human touch,” he told LinuxInsider.

Top Linux Threats

The Trend Micro Report disclosed rampant malware families within Linux systems. Unlike previous reports based on malware types, this study focused on the prevalence of Linux as an operating system and the pervasiveness of the various threats and vulnerabilities that stalk the OS.

That approach showed that the top three threat detections originated in the U.S. (almost 40 percent), Thailand (19 percent), and Singapore (14 percent).

Detections arose from systems running end-of-life versions of Linux distributions. The four expired distributions were from CentOS versions 7.4 to 7.9 (almost 44 percent), CloudLinux Server (more than 40 percent), and Ubuntu (about 7 percent).

Trend Micro tracked more than 13 million malware events flagged from its sensors. Researchers then cultivated a list of the prominent threat types consolidated from the top 10 malware families affecting Linux servers from Jan. 1 to June 30, 2021.

The top threat types found in Linux systems in the first half of 2021 are:

  • Coinminers (24.56 percent)
  • Web shell (19.92 percent)
  • Ransomware (11.56 percent)
  • Trojans (9.56 percent)
  • Others (3.15 percent)

The top four Linux distributions where the top threat types in Linux systems were found in H1-2021 are:

  • CentOS Linux (50.80 percent)
  • CloudLinux Server (31.24 percent)
  • Ubuntu Server (9.56 percent)
  • Red Hat Enterprise Linux Server (2.73 percent)

Top malware families include:

  • Coinminers (25 percent)
  • Web shells (20 percent)
  • Ransomware (12 percent)

CentOS Linux and CloudLinux Server are the top Linux distributions with the found threat types, while web application attacks happen to be the most common attack vector.

Web Apps Top Targets

Most of the applications and workloads exposed to the internet run web applications. Web application attacks are among the most common attack vectors in Trend Micro’s telemetry, said researchers.

If launched successfully, web app attacks allow hackers to execute arbitrary scripts and compromise secrets. Web app attacks also can modify, extract, or destroy data. The research shows that 76 percent of the attacks are web-based.

The LAMP stack (Linux, Apache, MySQL, PHP) made it inexpensive and easy to create web applications. In a very real way, it democratized the internet so anyone can set up a web application, according to John Bambenek, threat intelligence advisor at Netenrich.

“The problem with that is that anyone can set up a web app. While we are still waiting for the year of Linux on the desktop, it is important for organizations to use best practices for their web presences. Typically, this means staying on top of CMS patches/updates and routine scanning with even open-source tools (like the Zed Attack Proxy) to find and remediate SQL injection vulnerabilities,” he told LinuxInsider.

The report referenced the Open Web Application Security Project (OWASP) top 10 security risks, which lists injection flaws and cross-scripting (XSS) attacks remaining as high as ever. What strikes Trend Micro researchers as significant is the high number of insecure deserialization vulnerabilities.

This is partly due to the ubiquity of Java and deserialization vulnerabilities in it, according to Trend Micro. It’s report also noted that the Liferay Portal, Ruby on Rails, and Red Hat JBoss deserialization vulnerabilities as being prominent.

Attackers also try to use vulnerabilities where there is broken authentication to gain unauthorized access to systems. Plus, the number of command injection hits also poses a surprise as they are higher than what Trend Micro’s analysts expected.

Expected Trend

It is no surprise that the majority of these attacks are web-based. Every website is different, written by different developers with different skill sets, observed Shawn Smith, director of infrastructure at nVisium.

“There is a wide range of different frameworks across a multitude of languages with various components that all have their own advantages and drawbacks. Combine this with the fact that not all developers are security gurus, and you’ve got an incredibly alluring target,” he told LinuxInsider.

Web servers are one of the most common services to expose to the internet because most of the world interacts with the internet through websites. There are other areas exposed — like FTP or IRC servers — but the vast majority of the world is using websites as their main contact point to the internet.

“As a result, this is where attackers will focus to get the biggest return on investment for their time spent,” Smith said.

OSS Linked to Supply Chain Attacks

Software supply chains must be secured to deal with the Linux attack landscape as well, noted the Trend Micro report. Attackers can insert malicious code to compromise software components of third-party suppliers. That code then connects to a command-and-control server to download and deploy backdoors and other malicious payloads within the system, causing remote code.

This can lead to remote code execution to an enterprise’s system and computing resources. Supply chain attacks can also come from misconfigurations, which are the second top incident type in cloud-native environments, according to the Trend Micro report. More than 56 percent of their survey respondents had a misconfiguration or known unpatched vulnerability incident involving their cloud-native applications.

Hackers are having an easy time. “The major attack types on web-based applications have remained constant over the recent past. That, combined with the rising time-to-fix and declining remediation rates, makes the hackers’ job easier,” said Setu Kulkarni, vice president of strategy at NTT Application Security.

Organizations need to test applications in production, figuring out what their top three-to-five vulnerability types are. Then launch a targeted campaign to address them, rinse, and repeat, he recommended.

The “Linux Threat Report 2021 1H” is available here.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Enterprise

CRM Buyer Channels

The Rise of Digital Ad Taxes Could Impact Online Marketplaces

For years, affiliate marketers, social media companies, online marketplace platforms, and search engines alike have enjoyed the seemingly ubiquitous tax-free landscape from their digital activities afforded to them by the United States’ Internet Tax Freedom Act of 1998. However, that could all be changing soon.

On the horizon, taxpayers should prepare themselves for the next evolution in state taxation: digital advertising taxes. As policymakers and tax practitioners eagerly look to Maryland spearheading the first-in-the-nation digital advertising tax (DAT), legal concerns have been raised about the validity of Maryland’s recently enacted tax.

Poised as a gross receipts tax on in-state digital advertising revenues, Maryland’s DAT takes aim at large technology companies that have benefited from years of digital advertising as the catalyst for generating insuperable amounts of wealth.

Maryland’s digital ad tax applies a graduated rate that escalates based on the taxpayer’s global annual revenues. The tax brackets are as follows:

  • 2.5 percent of the assessable base for persons with global annual gross revenues of US$100 million through $1 billion
  • 5 percent of the assessable base for persons with global annual gross revenues of more than $1 billion through $5 billion
  • 7.5 percent of the assessable base for persons with global annual gross revenues of more than $5 billion through $15 billion
  • 10 percent of the assessable base for persons with global annual gross revenues exceeding $15 billion

Currently, Maryland’s DAT applies to taxpayers with at least $1 million of annual gross revenues derived from digital advertising services within Maryland and taxpayers with global annual gross revenues of $100 million or more.

Taxpayers subject to the tax are expected to file an annual declaration of estimated tax and make quarterly estimated tax payments. Maryland’s first declaration of estimated tax is due April 15, 2022. In addition, taxpayers must maintain books and records of their digital advertising services provided in Maryland to validate the basis for their apportionment and, ultimately, the taxpayer’s calculated digital ad tax.

The Maryland Comptroller has issued proposed regulations to provide clarity on the calculation. The Comptroller proposes to calculate the numerator of the apportionment factor by determining whether the device showing the advertising is in Maryland. The denominator is the number of devices that have accessed the digital advertising services from any location. This fixes one of the issues with the statute in which the denominator was only devices in the U.S., but the revenues were worldwide revenues.

Constitutional Challenges

Expanding on the legality of Maryland’s digital ad tax, the law presents unique constitutional challenges at the federal level that will undoubtedly be an uphill legal battle for the state. Maryland’s DAT law creates a legal inequity, in that, the law unfairly targets online advertisers, while not applying the same rules to other forms of advertising in the state, such as, radio, television, and print.

The Internet Tax Freedom Act was created over twenty years ago to prevent this type of digital discrimination. However, similar to the surprising outcome for many tax practitioners in the Wayfair case, it’s entirely possible the federal law will evolve to service the ever-changing e-commerce landscape.

The legal battles include the complaint filed in federal district court by the U.S. Chamber of Commerce and various trade groups. Their complaint states that the new law violates the dormant Commerce Clause, the Fourteenth Amendment Due Process Clause, and the Internet Tax Freedom Act. They argue that the tax is discriminatory in that it favors in-state companies, and it punishes out-of-state activities as the tax base specifically includes gross receipts from outside the state of Maryland.

In addition, Comcast and Verizon have filed a separate complaint in state court. Their complaint challenges the tax on grounds similar to the federal district court case and on additional grounds that it violates the Supremacy Clause and the Declaration of Rights in the Maryland Constitution.

New York, Connecticut, Indiana, Montana, Nebraska, Oregon and Washington, have all drafted or proposed similar legislation for gross receipts consumption-based taxes on digital advertising services. In 2021 alone, twelve DATs or similar tax-type data bills were introduced in various states.

However, many of these bills have not been enacted because state legislators are waiting on how Maryland’s digital advertising tax will be implemented amidst the administrative, economic, and legal challenges.

Is California Next?

Maryland’s new law has put many California tech companies on notice. Moreover, the question is: “Will California enact its own DAT?” Admittedly, it’s too early to make any reasonable predictions. While it’s possible California could enact a DAT, or something similar, it’s unlikely to happen anytime soon.

First, the Internet Tax Freedom Act would need to be challenged by state lawmakers, adjudicated by the Supreme Court, and changed. This is no easy feat. Next, California would need to pass its own law either through California legislative and executive branches, or potentially through a state proposition.

Given that California is already seen as an unfriendly business state compared to Texas, Tennessee, and Florida, a California DAT could create more incentives for companies to leave the state or cease to do business in California altogether.

Additionally, tech is a prominent and influential business sector in California. The industry contributes to the state’s corporate income tax revenue, and it creates jobs, leading to an echo revenue stream generated by individual California resident taxpayers.

From a state sourcing perspective, determining where to source digital ad revenues can be problematic, especially, when an ad’s reach, impression location, and impact are unknown to the advertiser.

By California regulations standards, Section 25136-2 provides cascading rules on how to source services and intangibles, including digital ad revenue. In situations where either the benefit of the service or intangible is indeterminable, California allows taxpayers to use a reasonable approximation approach, whereby, sales are bifurcated by jurisdiction based on a common variable, such as census data population, ad impressions, unique user IDs, customer quantity, sales metrics, etc.

Furthermore, California’s sourcing regulations are soon changing. Proposed amendments to the sourcing of sales other than tangible personal property go into effect starting 2023.

What does the future hold for online advertisers? At this point, it’s unclear. Many of the DAT and sales of personal data laws currently proposed are targeting Big Tech, but there will certainly be a ripple effect amongst small businesses who use their services. Online marketplaces will need to adapt, and more importantly, stay educated on this constantly evolving issue.

Brandon Gillum is a State and Local Tax Manager with accounting and advisory firm BPM. Email Brandon.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories