Cloud Services / Linux / Security

VMware Finds Linux Malware on the Rise

11 Feb 2022 6:00am, by

Linux is largely secure. Sure, it has security problems like any other operating system, but they tend to get fixed quickly and completely. Unfortunately, if you don’t install Linux correctly on your servers or clouds, while you may not be as vulnerable if you were running Windows XP, you’re still in danger. VMware Threat Analysis Unit (TAU) explores these threats in detail in its new report, Exposing Malware in Linux-based Multi-Cloud Environments.

Let’s start with what we all know. Linux is the top cloud operating system. Linux also powers over 78% of the most popular websites. Hackers aren’t stupid. They know that they can make more bucks from targeting clouds wholesale than going after Windows PCs retail. So, they’re increasingly targeting vulnerable Linux-based systems.

Cracking Clouds

Yes, it’s harder than going after Windows with its zero-day-of-the-month club on PCs, but the crooks can make real money if they can crack a cloud. Typically this is done not from some Mission Impossible cracking tools, but by taking advantage of weak authentication, vulnerabilities, and misconfigurations in container-based infrastructures to infiltrate the environment with remote access tools (RATs).

Once they have a foothold in your target cloud, they’ll usually try to run ransomware or deploy cryptomining components. Again, the name of the game is to make money.

Sophisticated Ransomware Tools

Alas, VMware has found that because we haven’t focused on detecting these threats our existing Linux malware detection and prevention tools aren’t up to the job.

Making our lives more interesting — for a given value of interest — ransomware targeting Linux-based systems is becoming more sophisticated. For example, ransomware targeting Linux has recently evolved to target host images and require dynamic analysis and host monitoring.

It also doesn’t help us that there are no fewer than nine major ransomware families targeting Linux systems. These include a Linux version of REvil; DarkSide; BlackMatter; and Defray777. Several of them are available as Ransomware as a Service for people without much of a technical clue but who want to make some quick cash.

Cryptojackers at Large

The cryptojackers’ cryptocurrency of choice is Monero cryptocurrency (XMR). Eighty-nine percent of Linux cryptominers used XMRig-related libraries. Cyber crooks primarily use two approaches here: Malware with wallet-stealing functionality, sometimes posing as crypto-based apps. Or the ever-popular monetizing stolen CPU cycles to successfully mine cryptocurrencies. There are currently seven significant ransomware families going after Linux. These include XMRig, Sysrv, and Mexalz.

Besides going after Linux, many of these specialize in going after common cloud configurations. For instance, TeamTNT threat actors target open Kubernetes pods and Docker deployments to deploy XMRig cryptominers. To evade detection, it hijacks the library loading mechanism to conceal specific directories in the /proc file system, thus hiding the cryptominer’s processes.

To put malware in place RATs are growing ever more popular. VMware’s research team discovered more than 14,000 active Cobalt Strike team servers on the internet since the end of February 2020. This Red Team software was meant to help you secure your systems, but with 56% of Cobalt Strike servers appearing to be cracked or leaked Cobalt Strike instances, it’s safe to say most of these are being used by crooks looking for vulnerable Linux instances.

What You Can Do

So what can you do about all this? VMware TAU explains you need many bricks in your wall. VMware, of course, recommends its own Endpoint Detection and Response (EDR) solution and Network Detection and Response (NDR). These are good tools, but there are other programs that can help. And of course, simply practicing good Linux and container security is a must.

Whether you use VMware’s programs or not, however, they make one really good point. You must — must — take protecting and securing your Linux servers, whether they’re running on hardware, virtual machines (VMs), or containers seriously. If you don’t, you’ll end up in a world of trouble.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Unit, Docker.

Featured image via Pixabay