What are the threats endangering Linux systems? Security researchers from Trend Micro just released a report focused on the “pressing security issues including malware and vulnerabilities that compromise Linux systems in the first half of 2021.”
Related: The Facefish Operation: Linux Targeted by New Backdoor and Rootkit
Despite being dependable and powerful, Linux is not devoid of flaws, Trend Micro’s Magno Logan and Pawan Kinger said. Like any other operating system, it is inclined to attacks.
So, how does the Linux threat landscape look like in the first half of 2021?
Most Prevalent Malware Families Targeting Linux Systems
Trend Micro identified and flagged more than 13 million events from their sensors, and outlined 10 malware families. One type of threat stood out – cryptocurrency miners, of which Coinminer.Linux.MALXMR.SMDSL64 and Coinminer.Linux.MALXMR.PUWELQ are the most prevalent families.
“Given that the cloud holds a seemingly endless amount of computing power, hackers have a clear motive in stealing computing resources to run their cryptocurrency mining activities,” the researchers pointed out. It is also noteworthy that cryptominers, or coinminers, have been a threat to container environments for some time.
Another prevalent threat in the Linux threat landscape is ransomware, with DoppelPaymer, the ransomware family known for using double extortion against its victims, being the most common. Other examples include RansomExx, DarkRadiation and DarkSide.
DarkRadiation is a ransomware coded in Bash, targeting specifically Red Hat/CentOS and Debian Linux distributions, according to another Trend Micro’s research from June. Whoever is behind this new ransomware uses “a variety of hacking tools to move laterally on victims’ networks to deploy ransomware,” Trend Micro said. The hacking tools contain various reconnaissance and spreader scripts, specific exploits for Red Hat and CentOS, and binary injectors, among others. It is noteworthy that most of these tools are barely detected in Virus Total, with some of the scripts still in development.
Top Exploited Vulnerabilities in the Linux Environment
To further define the state of Linux security for the first half of 2021, the researchers analyzed IPS (Intrusion Prevention System) hits from Trend Micro Cloud One – Workload Security. More than 50 million events were evaluated.
“It should be noted that there can be a degree of error here due to the nature of the data and internet activity,” the team added.
Here is a list of the top 15 security vulnerabilities the threat intelligence drafted:
- CVE-2017-5638: critical Apache Struts2 remote code execution (RCE) vulnerability;
- CVE-2017-9805: high-severity Apache Struts 2 REST plugin XStream RCE vulnerability;
- CVE-2018-7600: critical Drupal Core RCE vulnerability;
- CVE-2020-14750: critical Oracle WebLogic Server RCE vulnerability;
- CVE-2020-25213: critical WordPress File Manager (wp-file-manager) plugin RCE vulnerability;
- CVE-2020-17496: critical vBulletin ‘subwidgetConfig’ unauthenticated RCE vulnerability;
- CVE-2020-11651: critical SaltStack Salt authorization weakness vulnerability;
- CVE-2017-12611: critical Apache Struts OGNL expression RCE vulnerability;
- CVE-2017-7657: critical Eclipse Jetty chunk length parsing integer overflow vulnerability;
- CVE-2021-29441: critical Alibaba Nacos AuthFilter authentication bypass vulnerability;
- CVE-2020-14179: medium-severity Atlassian Jira information disclosure vulnerability;
- CVE-2013-4547: Nginx crafted URI string handling access restriction bypass vulnerability;
- CVE-2019-0230: critical Apache Struts 2 RCE vulnerability;
- CVE-2018-11776: medium-severity Apache Struts OGNL expression RCE vulnerability;
- CVE-2020-7961: critical Liferay Portal untrusted deserialization vulnerability.
“Users and organizations should always apply security best practices, which include utilizing the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model,” Trend Micro concluded.