Security Experts:

How Linux Became the New Bullseye for Bad Guys

Organizations need to secure, monitor and manage Linux just like any other endpoint in the network

Cybercriminals haven’t historically paid much attention to Linux systems. In fact, Linux was formerly one of the least attacked platforms in IT, but that’s quickly changed. Today we're seeing malware designed to attack Linux systems, frequently in the form of executable and linkable format (ELF). Linux is becoming a more popular target for attackers as it operates the back-end systems of many networks and container-based solutions for IoT devices and mission-critical applications.

This is not something CISOs can afford to ignore any longer. Let’s look at current threats and how to address them.

Linux in the crosshairs 

Today, attacks on Linux operating systems and the programs that run on them are almost as common as attacks on Windows operating systems. 

Many firms are used to guarding against Windows-based attacks, but they aren't used to keeping up with Linux in terms of defense and malware analysis. Worse still, Linux installations frequently contain sensitive information such as certificates, Secure Socket Shell (SSH) credentials, application usernames and passwords. The Linux-based Mirai botnet remains a top threat, as operators often pounce at the opportunity to add newly disclosed vulnerabilities to their exploit toolset. 

The prevalence of devices and applications running on Linux is massive. And there are a lot of different flavors and forms of Linux; therefore, there are different security holes that come up with that. A lot of devices within manufacturing and OT environments run on Linux – which makes this trend particularly worrisome. In fact, Fortinet’s 2021 State of Operational Technology and Cybersecurity report found that 51% of organizations experienced operational technology (OT) attacks that impacted productivity, and 45% experienced OT attacks that endangered an employee’s physical safety. 

Looking at specific Linux threats

In the fourth quarter of 2021, our FortiGuard Labs researchers found that the rate of new Linux malware signatures quadrupled that of the first quarter. In 2021, malware detections of ELF files doubled, indicating that Linux malware is becoming more prevalent in cybercrime.

Vermilion Strike, a malicious implementation of Cobalt Strike's Beacon function, can target Linux computers with remote access capabilities without being discovered. It's certain that malware will follow now that Microsoft is aggressively integrating Windows Subsystem for Linux (WSL) into Windows 11. In fact, all the code that's being written for botnets and for malware can run on new Windows platforms. WSL is a compatibility layer that allows you to run Linux binary executables on Windows natively. Botnet malware is increasingly being created on Linux computers. The current Log4J vulnerability is another example of a recent assault in which Linux binaries have taken advantage of this opportunity.

Tackling the problem

It’s clear that organizations need to secure, monitor and manage Linux just like any other endpoint in the network. Organizations should have advanced and automated endpoint protection, detection and response as well as integrated zero trust network access. It’s important to fight fire with fire – you’ve got to use the same kinds of tools that bad actors are using. 

That means having a security operations center (SOC) perspective and using solution like threat intelligence, SIEM, SOAR, deception technology – these are all tools that help so you don’t have to hire 40 or 50 more people for your SOC. It’s about how you can work together with tools and technology, and to have incident response planning in place. 

Education and awareness a key part of this strategy. Security hygiene should become a primary focus to provide active threat protection for systems that may be affected by low-lying threats. As with personal hygiene, cyber hygiene needs to be performed on a regular basis – not just once in a while or twice a year. With the goal of keeping data safe, security hygiene involves regular back-ups, firewalls, encryption, password management and more. Ongoing employee education is key, as well; make sure staff know about the latest social engineering techniques (especially email) and security best practices.

Covering all the bases

Organizations should make hardening Linux and Windows-based systems a top priority in 2022. And businesses should always prioritize security as they adopt new technology. That means making sure new connections, such as satellite-based communication, are secure before proceeding.

However, you must remember that malicious actors will continue to use tactics that work. You can't forget about the threats that are currently lurking while preparing for future threats. Safeguarding your networks from both new and current threats necessitates a comprehensive security strategy. Organizations should consider using a security platform built on a cybersecurity mesh architecture with security solutions that work together to combat developing threats, as well as keeping staff current on cyber hygiene and best practices. This holistic approach represents the strongest security posture and best defense against attackers.

view counter
Derek Manky is Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.