When it comes to security, there are some low-level threats that can cause big problems. An important example is malware designed to exploit Linux systems, often in the form of binary executable and linkable files (ELFs). And, as Linux’s footprint continues to expand, so will the attacks against it.
FortiGuard Labs Researchers noted a doubling in the occurrence of ELF and other Linux malware detections during 2021 and a fourfold increase in the rate of new Linux malware signatures from the first quarter of last year to the fourth quarter. That’s not exactly a meteoric rise, but it’s not something to ignore either.
The growing threat to Linux
This type of growth and spread in variants suggests that Linux malware is gaining prominence in the arsenal of cyber adversaries. The most common ELF variant it is linked to Muhstik, malware that turns infected machines into bots and is known to exploit vulnerabilities to spread. A notable Muhstik exploit involved Atlassian Confluence, a popular web-based corporate team workspace. FortiGuard Labs researchers observed multiple malicious actors targeting this vulnerability, with the goal of downloading a malicious payload that would install a backdoor or miner on a user’s network.
FortiGuard researchers also saw botnet activity related to a new variant of RedXOR, malware that targets Linux systems for data exfiltration (and jumped to our top 10 list last October). Meanwhile, a malicious implementation of Cobalt Strike’s Beacon feature called Vermillion Strike targets Linux systems with remote access capabilities. Log4j is another example of an attack where Linux binaries were used to take advantage of the opportunity to attack low-level threats like Linux.
As the use and integration of Linux expands, we can expect more attacks to emerge. For example, cyber attackers are likely to see an opportunity in Microsoft’s active integration of the Windows Subsystem for Linux, a compatibility layer used to run Linux binary executables natively on Windows.
address the threat
What does this all mean? For one, it means that Linux’s attack surface has expanded to the network perimeter. Protecting your organization against this new wave of threats requires an integrated approach to security. Point products must be replaced with security appliances designed to operate as a unified solution to consistently protect every user, device, and application with policies that can track data and transactions. This approach also enables centralized management to ensure policies are applied consistently, configurations and updates are delivered quickly, and suspicious events are centrally collected and correlated.
Organizations must act with a sense of urgency to harden their Linux systems and operational technology environments. This includes adding tools designed to protect, detect, and respond to threats in real time, as well as taking a security-first approach before adopting new products and technologies. Additionally, behavioral analytics should be implemented to discover and block attacks during initial reconnaissance and probing efforts.
Linux runs the back-end systems of many network and container-based solutions for Internet of Things devices and mission-critical applications. Until recently, Linux has been largely ignored by cybercriminals, but as Linux’s footprint expands, so will attacks against it. Organizations must act now, before this threat becomes a major problem. Action involves establishing an integrated security approach that extends to the edge of the network for quick and early detection and remediation.