In a previous post we wrote for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), we discussed the rise of Linux-based threats.
This threat landscape is dominated by financially motivated crypto-miners and DDoS botnet tools that target vulnerable Linux servers. Additionally, more sophisticated threats utilizing rare evasion techniques have been observed within the Linux platform, as evidenced by the recent discoveries of HiddenWasp and the QNAPCrypt ransomware campaigns targeting Linux-based NAS servers.
Why Linux?
In the world of antivirus, the focus is primarily on protecting Windows endpoints, given that Windows desktop users make up about 87% of the total desktop market share, compared to the 2% held by Linux desktop users. Some security professionals argue that Linux is the safest and most secure operating system due to the lack of malware targeting Linux end users.
However, it’s important to note that Linux plays a significant role in the web server market share, accounting for about 70%, and is the preferred choice for cloud servers, with Linux powering 90% of all cloud servers. This underscores the importance of considering threats to the Linux platform beyond just desktop usage.
The Predominance of Linux Servers on the Cloud
The rapid growth of cloud-based infrastructure in recent years has solidified Linux as the go-to choice for cloud computing. Linux’s open-source nature makes it cost-effective to develop cloud servers, and its compatibility with modern software development practices further cements its position as the preferred operating system for cloud environments.
Reasons for Low Detection Rates
The shift to cloud-based infrastructure, coupled with a lack of awareness and research into Linux instances and threats, has contributed to low detection rates among security vendors. Key contributing factors include a focus on Windows endpoints, lack of visibility into Linux instances, scarcity of research on Linux malware, and limited mitigation techniques for Linux threats.
The Importance of Code Reuse Detection
In an open-source ecosystem like Linux, adversaries often reuse publicly available code to create new malware. Code reuse detection, known as Genetic Malware Analysis, is crucial for identifying and classifying Linux threats. By analyzing and indexing an attacker’s code, defenders can detect future variants of threats that reuse similar code patterns.
Additional Mitigation Recommendations
In addition to Genetic Malware Analysis, organizations can implement best practices to mitigate threats targeting Linux-based systems, such as keeping systems updated, ensuring signature-based detection solutions are current, securing SSH login with keys, reviewing system files regularly, and disabling root accounts.
Conclusion
As more organizations transition to cloud-based environments, Linux has become a dominant force in cloud computing. Increased awareness and advanced detection mechanisms are essential for protecting Linux-based systems from evolving threats. By applying Genetic Malware Analysis and following mitigation recommendations, organizations can enhance their security posture in the face of emerging Linux threats.
For more information on Linux threats and cybersecurity best practices, check out our webinar replay and other additional resources.
[Author: Intezer]
Intezer’s Autonomous SOC solution handles security operations effectively, allowing organizations to stay ahead of cyber threats.
Next Post: Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns
