In a guest blog post VB2019 Silver partner
Intezer
outlines the importance of paying more attention to Linux threats.
In a previous
blog post
written for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), we discussed the emergence of
Linux
-based threats.
This threat ecosystem is heavily concentrated with financially driven cryptominers and DDoS botnet tools which primarily target vulnerable
Linux
servers. In addition, more sophisticated threats utilizing rare evasion techniques exist within the
Linux
platform, evidenced by the recent discoveries of
HiddenWasp
, and the
QNAPCrypt
ransomware campaigns targeting
Linux
-based file storage systems (NAS servers).
Why Linux?
In the anti-virus industry, a large emphasis is placed on protecting
Windows
endpoints, and rightfully so —
Windows
desktop users comprise approximately 87% of the total
desktop market share
, in comparison to the 2% market share held by
Linux
desktop users. Because of this disparity, and the fact that we rarely see malware targeting
Linux
end-users, some security professionals argue that
Linux
is the safest and most secure operating system.
However, when discussing threats to the
Linux
platform, we must understand that
Linux
desktop usage is a very small piece of the puzzle.
Linux
makes up about 70% of the
web server market share
, and according to
CBT Nuggets
, 90% of
all cloud servers
. In a 2018 article,
ZDNet
reported
that
Linux
is the most popular operating system on
Microsoft
‘s
Azure Cloud
.
The predominance of Linux servers on the cloud
In recent years, there has been a rapid growth in modern, cloud-based infrastructure.
Linux
has emerged as the predominant choice for cloud computing for two reasons:
-
Servers in the cloud are cheaper to develop through
Linux
.
Linux
is an open-source ecosystem, which means it can be downloaded for free. A developer that wants to create a
Windows
-based cloud server has to purchase a licence from
Microsoft
. -
Linux
is more convenient for developers. Many best practices in software development today, such as creating containers and new technology, are designed to work on the
Linux
operating system.
Reasons for low detection rates
The quick migration to the cloud, coupled with a lack of awareness into
Linux
instances and the threats that target these systems, have contributed to the low detection rates seen in the vast majority of security vendors.
Other contributing factors include:
Focus on Windows endpoints. In general, there are not many Linux protection systems, and as a result the evasion techniques are rudimentary in nature. The majority of security solutions are focused on protecting Windows environments—1) because Windows holds the majority of the desktop market share, and 2) since the cloud is a relatively new development. In addition, security vendors try to adapt their Windows tools to fit the Linux platform, but Linux is very different. As a result, these solutions are not as effective at detecting threats as they are in the Windows domain. Organizations require a tailored solution for Linux, not an adapted Windows technology.
-
Lack of visibility.
There is a lack of visibility into
Linux
instances, which makes gathering information about
Linux
malware more difficult. -
Lack of research.
A lack of visibility leads to a lack of research being published about
Linux
malware, meaning we don’t know enough about the threats that reside in the
Linux
ecosystem. More importantly, we don’t know how to mitigate them properly. -
Lack of techniques.
The lack of visibility and research into
Linux
threats contributes to a lack of mitigation techniques being developed. Since there is not enough research being published about
Linux
malware, we lack critical data such as IOCs which can enable us as defenders to better understand, investigate, and tailor our response to
Linux
threats.
Big picture.
For enterprises that host their data on the cloud, there is a strong possibility that they are using a
Linux
server. Without proper detection and response mechanisms in place, organizations’ cloud infrastructures can be exposed, making them more vulnerable to data breaches.
The importance of code reuse detection
In an open-source ecosystem like
Linux
, there are large amounts of publicly available code that can quickly be copied and reused by adversaries in order to produce their own malware. In the case of HiddenWasp, the authors behind the malware reused large portions of code from open-source Mirai and the Azazel rootkit. While Mirai is not a highly complex malware, its code was previously leaked in 2016, and we often see the code being reused by attackers to deploy their own instances of Mirai, especially within the
Linux
platform.
In the world of software development, developers are incentivized to reuse code. Reusing code brings tools to market faster. The same principle applies to malware authors. Especially on the
Linux
platform, where detection rates have been consistently low, attackers have become less concerned about implementing excessive evasion techniques. Even when the attackers reuse extensive amounts of code, threats have managed to stay relatively undetected.
The majority of cyber attacks, whether they are targeting
Linux
or
Windows
systems, contain code from previous threats. As defenders of these environments, it’s critical to analyse the binary code that is being used in these attacks. By identifying and then indexing an attacker’s code, defenders can detect any future variant of the threat that uses even the smallest amounts of the same code.
This code reuse detection approach, which we call ‘genetic malware analysis’, is particularly relevant for detecting and classifying
Linux
threats, because, as we have seen in the cases of HiddenWasp and Mirai,
Linux
malware authors will reuse code.
In another example, an
Intezer Analyze
community user recently detected a
GonnaCry ransomware sample
. GonnaCry is an open-source ransomware designed for the
Linux
platform. GonnaCry’s source code is downloaded from
GitHub
and utilized by attackers to infect vulnerable
Linux
endpoints by encrypting their file systems. At the time of detection, this sample had 0/55 detections in
VirusTotal
. However, the sample was immediately flagged in our system because it shared 453 genes, or over 47% of its code, with previous instances of the GonnaCry ransomware.
Additional mitigation recommendations
In addition to adopting a genetic malware analysis approach, organizations can implement the following security best practices in order to mitigate the cyber threats targeting
Linux
-based systems:
-
Keep your systems patched and updated across all
Linux
servers and devices. - Ensure signature-based detection solutions are updated, in order to keep up with the different, evolving threats.
- Secure SSH login with a key. The victims of the QNAPCrypt ransomware campaigns were compromised by brute force techniques. For remote control standpoint with SSH login, remove the option to login with credentials — otherwise you could be the victim of a brute force attack. It’s much safer to login via an SSH key.
-
Perform a routine review of important system files. It’s important to remember that, once installed on a server or device, malware will likely attempt to achieve persistence. In
Linux
servers especially, it’s crucial to look at the different suspicious cron jobs or systemV, systemd initizliation scripts and services. -
Disable root accounts. The root account has access to all files and commands on a
Linux
system, with full read, write and execute permissions. Errors by the root user can have critical implications on the normal operation of a system.
This article
from
TecMint
explains four ways to disable the root account in
Linux
.
Conclusion
The world of IT is changing quickly as more organizations host their data and files on the cloud.
Linux
, in particular, has emerged as the popular choice for cloud servers, even among
Microsoft
cloud computing services. Since
Linux
comprises nearly 90% of the cloud server market share, the majority of enterprises that host their data on the cloud are likely operating from a
Linux
server.
While the majority of security solutions are focused on detecting threats residing in
Windows
, particularly on
Windows
desktops, a greater emphasis needs to be placed on spreading awareness of
Linux
machines and threats. As defenders, we lack research and critical IOCs that can help us to better comprehend, detect and respond to
Linux
threats, more consistently, and on a greater scale.
As evidenced by the recent discoveries of HiddenWasp and QNAPCrypt, with improved visibility and detection rates we can expect to see new and advanced malware being created to target the
Linux
platform. However, we must also remember that
Linux
is an open-source ecosystem, where attackers will continue to reuse publicly available code to deploy new instances of malware. This is what makes indexing code seen in previous attacks so important for detecting future
Linux
threats.
By applying a genetic malware analysis approach, and adhering to the mitigation recommendations outlined in this blog, users of
Linux
-based systems — particularly organizations hosting their data on
Linux
cloud servers — can better protect themselves from the threats posed by this emerging landscape.
Additional Resources:
-
Webinar replay:
For more info on the types of threats you might find in the Linux threat landscape, watch the recording to our webinar:
-
EvilGnome: Rare Malware Spying on Linux Desktop Users:
Intezer
researcher Paul Litvak recently
identified a backdoor implant
spying on
Linux
desktop users. This discovery is interesting in that
Linux
desktop makes up only about 2% of the total desktop market share. More notably, the toolset belongs to an alleged Russian APT, known as Gamaredon Group. EvilGnome uses functionalities rarely seen in
Linux
malware, such as taking desktop screenshots, stealing files, and capturing audio recording from the user’s microphone. -
Detect Linux and Windows threats:
Take advantage of the free
Intezer Analyze
community edition. Thousands of users leverage our community version to detect and classify advanced cyber threats. Sign up at:
https://analyze.intezer.com
Leave a Reply