At a time when use of
open-source platforms are on the rise,
researchers at Kaspersky have warned that sophisticated hackers and crooks are increasingly targeting Linux-based devices – using tools specifically designed to exploit vulnerabilities in the platform.
While Windows tends to be more frequently targeted in mass malware attacks, this is not always the case when it comes to
advanced persistent threats (APTs),
in which an intruder – often a nation-state or state-sponsored group – establishes a long-term presence on a network.
According to Kaspersky, these attackers are increasingly diversifying their arsenals to contain Linux tools, giving them a broader reach over the systems they can target. Many organisations choose Linux for strategically important servers and systems, and with a “significant trend” towards using Linux as a desktop environment by big business as well as government bodies, attackers are in turn developing more malware for the platform.
“The trend of enhancing APT toolsets was identified by our experts many times in the past, and Linux-focused tools are no exception,” said Yury Namestnikov, head of Kaspersky’s global research and analysis team in Russia.
“Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems.”
According to Kaspersky, over a dozen APT actors have been observed to use Linux malware or some Linux-based modules.
Most recently, this has included the LightSpy and
campaigns, both of which targeted both Windows and Linux devices. The LightSpy malware was also found to be capable of targeting iOS and Mac devices.
While targeted attacks on Linux-based systems are still uncommon, a suite of webshells, backdoors, rootkits and custom-made exploits are readily available to those that seek to use them.
Kaspersky also suggested that the small number of recorded attacks was not representative of the danger they posed, pointing out that the compromise of a single Linux server “often leads to significant consequences”, as the malware travelled through the network to endpoints running Windows or macOS, “thus providing wider access for attackers which might go unnoticed”.
Prolific Russian-speaking group Turla, for example, has significantly changed its toolset over the years, including the use of Linux backdoors. According to Kaspersky, a new modification of the Penguin x64 Linux backdoor, reported earlier in 2020, has now affected dozens of servers in Europe and the US.
Another example is Lazarus, a Korean-speaking APT group, which continues to diversify its toolset and develop non-Windows malware. Kaspersky recently reported on the multi-platform framework called MATA and in June 2020, researchers analysed new samples linked to the AppleJeus and TangoDaiwbo campaigns, used in financial and espionage attacks. The samples studied included Linux malware.
A number of measures can be taken to mitigate the risks of Linux systems falling victim to attacks, including straightforward steps like ensuring firewalls are set up properly and unused ports are blocked, automating security updates and using a dedicated security solution with Linux protection.
Organisations should additionally maintain a list of trusted software sources and avoid using unencrypted update channels; use key-based SSH authentication and protect keys with passwords; use two-factor authentication and store sensitive keys on external token devices; and avoid running binaries and scripts from untrusted sources.
“We advise cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations,” Namestnikov said.