Don’t get too excited by that headline. If you’ve ever been a system administrator, you can probably guess what this problem is. But just because it’s a commonplace mistake doesn’t mean lots of people are learning from it.
First, no, the biggest problem isn’t stupid passwords. That’s way the heck up there, but this is even more fundamental than that. Trend Micro found in its Linux Threat Report 2021 1H, based on its Smart Protection Network’s data, that the number one problem with a bullet is companies using out-of-date, unsupported operating systems and programs.
The top problem-child operating systems, with 44% of security breach detections, are the CentOS Linux 7.4 to 7.9 distros. Guess what! CentOS 7 was first released in June 2014, and it dropped out of full support in August 2019. If you’re still running CentOS 7 in production, your cloud images deserve everything that happens to them, and you deserve a visit to the unemployment office.
Sorry, but I have no patience for this. Time after time, major “Linux” or “open source software” security holes are compromised. Perhaps the biggest example of this was when Equifax blamed Apache Struts for losing 143-million U.S. citizen credit records. No. Wrong. That’s not what happened. What actually happened was the morons in charge of “security” had not patched a critical bug for six months.
Guess what? Trend Micro has found that we’re still making this fundamental mistake ad nauseam. It’s not a matter of when your cloud-based sites and services are going to be breached, it’s when. And, in many cases, it’s when you’re going to realize that you’ve already been compromised for months, possibly years.
Patch Fast, or Pay Later
When the attackers come to close in on your clouds, servers, VMs, and containers in their millions — yes, millions, I note my own cloud servers have fended off a few hundred attacks today — they look for pre-existing problems you haven’t patched yet.
Drilling down deeper, the Trend Micro report found the top 15 vulnerabilities. All but one has been patched for at least a year. Would you care what’s the most attacked security hole of all? I’ll give you a hint. I’ve already mentioned it.
Yes, it’s Apache Struts CVE-2017-5638, with a top Common Vulnerability Scoring System rating of 10. A ranking it has held, I may mention, since it was fixed in 2017!
If you’re still running CentOS 7 in production, your cloud images deserve everything that happens to them, and you deserve a visit to the unemployment office.
There are times I just want to smack some IT staffers. Clearly, this is not people doing security badly. It’s people not doing security at all.
Although most headlines on this report have emphasized the sheer number of attacks made on Linux, this is not — I repeat — not an indictment of Linux’s poor security. It shows just how awful people are at running Linux. Or, for that matter, any other operating system.
Top 5 Attackers
And what do you get when the attackers come to call? The top five are:
Chart via Trend Micro, Linux Threat Report 2021, 1H.
Coin miners are always going to be popular. In the 1930s, famous bank robber Willie Sutton explained why he robbed banks: “Because that’s where the money is.” Today, the crypto-money is in unprotected clouds.
Generally speaking, 76% of attacks are going to be pointing at your web-based services. So, WordPress, for example, with its own complex software ecosystem, is a frequent target.
Of these, Trend Micro sees injection flaws and cross-scripting attacks are as popular as ever. In particular, there are many insecure deserialization vulnerabilities, which are being abused. This is partly due to the ubiquity of Java and its deserialization vulnerabilities, but it’s not just Java. Liferay Portal, Ruby on Rails, and Red Hat JBoss all have their share of deserialization vulnerabilities. The name of the game here is to seize the goose that lays the golden eggs: Full access to your systems using broken authentication.
But while Trend Micro’s report goes into detail about the various attacks out there, the bottom line is you can make your clouds a lot safer if you just keep your operating system up to date. That’s it. That’s all. It’s that easy.
Pair that with making certain you keep any popular application software stacks you’re using — such as WordPress, Apache Struts, Atlassian JIRA, dnsmasq, and Alibaba Nacos — patched and you’ll be much safer than your competitors. Come on, you can do it! Go for it! Patch! Patch! Patch! Win! Win! Win!
The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: MADE, Famous.
Red Hat OpenShift is a sponsor of The New Stack.