Gone are the days when Linux users presumed Windows as hackers’ primary target. Linux devices are now increasingly seen as another valuable target apart from Windows-based systems. Attackers are developing new techniques to compromise Linux-based distributions running on supercomputers, cloud servers, and numerous IoT devices.
What are the hackers up to?
- By collecting SSH authentication credentials, attackers are searching for Linux systems to drop payloads and even hunt down other threat actors on compromised Linux devices, ensuring that they alone use the entire pool of resources.
- After brute-forcing and deploying malware on breached systems, attackers are adding infected devices to botnets meant for cryptomining and DDoS attacks. Some sophisticated botnets have also been observed using proprietary protocols for C2 communications.
- Botnet operators have created new variants to specifically infect Linux systems with DDoS attacks, including TCP, UDP, and ICMP flood attacks.
When Linux servers were under attack
- Recently, the Lemon_Duck cryptomining malware was seen compromising Linux systems via SSH brute-force attacks. The malware used a port scanning module that searches for internet-connected Linux systems listening on the 22 TCP port utilized for SSH remote login.
- Known for transforming vulnerable Windows systems into Monero cryptomining bots, Lucifer—a hybrid DDoS botnet—is now scanning for Linux systems and infecting them. The new Linux version has modules designed for cryptojacking.
- A sophisticated botnet campaign, FritzFrog, has been discovered attacking Linux servers around the world. FritzFrog’s proprietary and fileless P2P implementation set it apart from other botnets.
- Last month, Drovorub, a new malware was reported targeting Linux systems used by private organizations and government agencies. Deployed by Fancy Bear, a Russian APT group, Drovorub creates a backdoor into targeted networks to exfiltrate sensitive data.
Government agencies keeping pace
The FBI and NSA have advised Linux users to update Linux Kernel version to 3.7 or later, and activate UEFI Secure Boot. The update will allow users to take advantage of kernel signing enforcement, preventing attackers to introduce a malicious kernel module into the system.