New research Linux Threat Report 2021 1H from Trend Micro found Linux operating systems are being targeted – with nearly 13 million detections from the first half of 2021 – as organizations increase their digital footprint in the cloud and the pervasive threats that make up the Linux threat landscape. 

As of 2017, 90% of public clouds workloads ran on Linux. According to GartnerÒ, “Rising interest in cloud-native architectures is prompting questions about the future need for server virtualization in the data center. The most common driver is Linux-OS-based virtualization, which is the basis for containers.” 

The LAMP stack (Linux, Apache, MySQL, PHP) made it inexpensive and easy to create web applications, notes John Bambenek, Threat Intelligence Advisor at Netenrich. Bambenek explains, “In a very real way, it democratized the internet so anyone can set up a web application. The problem with that is that anyone can set up a web app. While we are still waiting for the year of Linux on the Desktop, organizations need to use best practices for their web presences. Typically, this means staying on top of CMS patches/updates and routine scanning with even open-source tools (like the Zed Attack Proxy) to find and remediate SQL injection vulnerabilities.”

Linux allows organizations to make the most of their cloud-based environments and power their digital transformation strategies. Many of today’s most cutting-edge IoT devices and cloud-based applications and technology run on some flavor of Linux, making it a critical area of modern technology to secure.

Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, says, “Like any operating system, security depends entirely on how you use, configure or manage the operating system. Each new Linux update tries to improve security; however, you must enable and configure it correctly to get the value. The state of Linux security today is rather good and has evolved positively with much more visibility and security features built-in. Nevertheless, like many operating systems, you must install, configure and manage it with security in mind as that is how cybercriminals take advantage is the human touch.”

The report gives valuable insight into how Linux operating systems are being targeted as organizations increase their digital footprint in the cloud and the pervasive threats that make up the Linux threat landscape. From over 13 million events that Trend Micro identified and flagged, they identified the top 10 malware families, which were then consolidated by their threat types. They include:

  • 25% Coinminers – The high prevalence of cryptocurrency miners is of little surprise given the clear motive of the seemingly endless amount of computing power the cloud holds, making it the perfect environment.
  • 20% Web shells – The recent Microsoft Exchange Attack, which leveraged web shells, showed the importance of patching against this type of malware
  • 12% Ransomware – The most prevalent detected was the modern ransomware family, DoppelPaymer; however, some other notable ransomware families seen targeting Linux systems as well are RansomExx, DarkRadiation, and the DarkSide.

The report revealed that most detections arose from systems running end-of-life versions of Linux distributions, including 44% from CentOS versions 7.4 to 7.9. In addition, 200 different vulnerabilities were targeted in Linux environments in just six months. This means attacks on Linux are likely taking advantage of outdated software with unpatched vulnerabilities.

“It’s no surprise that the majority of these attacks are web-based — every website is different and written by different developers with different skill sets. There is a wide range of different frameworks across a multitude of languages with various components that all have their advantages and drawbacks. Combine this with the fact that not all developers are security gurus, and you’ve got an incredibly alluring target,” says Shawn Smith, Director of Infrastructure at nVisium. “Web servers are one of the most common services to expose to the internet because most of the world interacts with the internet through websites. There are other areas exposed — like FTP or IRC servers — but the vast majority of the world uses websites as their main contact point to the internet. As a result, this is where attackers will focus on getting the biggest return on investment for their time spent.”

The report also examined web-based attacks that fit in the Open Web Application Security Project top 10 list as well as common attacks that are not on the list. The most common OWASP attacks are:

  1. SQL injection: 27%
  2. Command injection: 23%
  3. XSS 22% 
  4. Insecure deserialization: 18%
  5. XML external entity: 6%
  6. Broken authentication: 4%

Hackers have it easy, explains Setu Kulkarni, Vice President, Strategy at NTT Application Security. “The major attack types on Web-based applications have remained constant over the recent past. That, combined with the rising time-to-fix and declining remediation rates, makes the hackers’ job easier. The need of the hour is to focus on testing applications in production, figuring out what your organization’s top 3-5 vulnerability types are, launch a targeted campaign address these top vulnerabilities, rinse and repeat.”