tiero - stock.adobe.com

Linux-based clouds an open door for attackers, says VMware

Its prevalence as a cloud operating system means Linux is becoming a meal ticket for malicious actors, but the security industry does not seem to have cottoned on to this yet, says VMware

With its status as the most common cloud operating system cemented beyond all doubt, Linux has become a core part of organisational digital infrastructure around the world, but it is also opening up new avenues of attack for malicious actors, and the security industry needs to hurry up and get wise to this.

That is according to a newly published report from VMware’s Threat Analysis Unit (TAU) which details how malicious actors are using malware to target Linux-based operating systems. In the report, Exposing malware in Linux-based multicloud environments, it showed how current countermeasures are still heavily focused on addressing Windows-based threats, with the ultimate effect that many public and private cloud deployments are left vulnerable to attacks that would otherwise be easy to stop.

“Cyber criminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximise their impact with as little effort as possible,” said Giovanni Vigna, senior director of threat intelligence at VMware.

“Rather than infecting an endpoint and then navigating to a higher-value target, cyber criminals have discovered that compromising a single server can deliver the massive payoff and access they’re looking for. Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data.

“Unfortunately, current malwares are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks on Linux-based operating systems.”

In compiling its report, the TAU analysed the biggest threats to Linux OSes in multicloud environments – ransomware, cryptominers and remote access tools.

Successful ransomware attacks in cloud environments can be particularly devastating, especially when combined with double- and now triple-extortion techniques, said VMware.

The report revealed evidence of new developments in Linux-based ransomwares, which are now able to target the host images used to spin workloads in virtualised environments. Examples of these include the DarkSide ransomware family and Defray777, which encrypts host images on ESXi servers.

VMware said this was a clear sign that attackers have figured out they need to hit more valuable assets within a cloud environment.

Cryptomining might reasonably be considered a less impactful threat to cloud environments than ransomware, and it is certainly true that it does not completely disrupt cloud environments in the same way – and so can be harder to detect.

This is something malicious actors can use to their advantage, targeting a quick reward with one of two approaches – they will generally either include crypto wallet-stealing functionality in malware, or monetise stolen CPU cycles to mine cryptocurrencies, mostly focused on Monero (XMR).

VMware said 89% of cryptominers use XMRig-related libraries, so if such libraries or modules are identified in Linux binaries, it can generally be taken as evidence that an environment has been hijacked.

Cobalt Strike variants coming to dominate Linux too

The Cobalt Strike penetration testing tool and framework has long been the attacker’s tool of choice when targeting Windows environments, but last year it emerged that a reverse-engineered version – dubbed Vermilion Strike – had been found targeting Linux, and it now appears that here, too, it is becoming a favoured option for malicious actors.

VMware said it found more than 14,000 active Cobalt Strike team servers on the internet between February 2020 and November 2021, with the total percentage of cracked and leaked Cobalt Strike customer IDs standing at 56%, which suggests the majority of Cobalt Strike users are either cyber criminals or using it illicitly.

“Since we conducted our analysis, even more ransomware families were observed gravitating to Linux-based malware, with the potential for additional attacks that could leverage the Log4j vulnerabilities,” said Brian Baskin, manager of threat research at VMware.

“The findings in this report can be used to better understand the nature of Linux-based malware and mitigate the growing threat that ransomware, cryptomining and RATs have on multicloud environments.

“As attacks targeting the cloud continue to evolve, organisations should adopt a zero-trust approach to embed security throughout their infrastructure and systematically address the threat vectors that make up their attack surface.”

Read more on Cloud security