Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

How Linux Became the New Bullseye for Bad Guys

Organizations need to secure, monitor and manage Linux just like any other endpoint in the network

Organizations need to secure, monitor and manage Linux just like any other endpoint in the network

Cybercriminals haven’t historically paid much attention to Linux systems. In fact, Linux was formerly one of the least attacked platforms in IT, but that’s quickly changed. Today we’re seeing malware designed to attack Linux systems, frequently in the form of executable and linkable format (ELF). Linux is becoming a more popular target for attackers as it operates the back-end systems of many networks and container-based solutions for IoT devices and mission-critical applications.

This is not something CISOs can afford to ignore any longer. Let’s look at current threats and how to address them.

Linux in the crosshairs 

Today, attacks on Linux operating systems and the programs that run on them are almost as common as attacks on Windows operating systems. 

Many firms are used to guarding against Windows-based attacks, but they aren’t used to keeping up with Linux in terms of defense and malware analysis. Worse still, Linux installations frequently contain sensitive information such as certificates, Secure Socket Shell (SSH) credentials, application usernames and passwords. The Linux-based Mirai botnet remains a top threat, as operators often pounce at the opportunity to add newly disclosed vulnerabilities to their exploit toolset. 

The prevalence of devices and applications running on Linux is massive. And there are a lot of different flavors and forms of Linux; therefore, there are different security holes that come up with that. A lot of devices within manufacturing and OT environments run on Linux – which makes this trend particularly worrisome. In fact, Fortinet’s 2021 State of Operational Technology and Cybersecurity report found that 51% of organizations experienced operational technology (OT) attacks that impacted productivity, and 45% experienced OT attacks that endangered an employee’s physical safety. 

Looking at specific Linux threats

In the fourth quarter of 2021, our FortiGuard Labs researchers found that the rate of new Linux malware signatures quadrupled that of the first quarter. In 2021, malware detections of ELF files doubled, indicating that Linux malware is becoming more prevalent in cybercrime.

Vermilion Strike, a malicious implementation of Cobalt Strike’s Beacon function, can target Linux computers with remote access capabilities without being discovered. It’s certain that malware will follow now that Microsoft is aggressively integrating Windows Subsystem for Linux (WSL) into Windows 11. In fact, all the code that’s being written for botnets and for malware can run on new Windows platforms. WSL is a compatibility layer that allows you to run Linux binary executables on Windows natively. Botnet malware is increasingly being created on Linux computers. The current Log4J vulnerability is another example of a recent assault in which Linux binaries have taken advantage of this opportunity.

Tackling the problem

It’s clear that organizations need to secure, monitor and manage Linux just like any other endpoint in the network. Organizations should have advanced and automated endpoint protection, detection and response as well as integrated zero trust network access. It’s important to fight fire with fire – you’ve got to use the same kinds of tools that bad actors are using. 

That means having a security operations center (SOC) perspective and using solution like threat intelligence, SIEM, SOAR, deception technology – these are all tools that help so you don’t have to hire 40 or 50 more people for your SOC. It’s about how you can work together with tools and technology, and to have incident response planning in place. 

Education and awareness a key part of this strategy. Security hygiene should become a primary focus to provide active threat protection for systems that may be affected by low-lying threats. As with personal hygiene, cyber hygiene needs to be performed on a regular basis – not just once in a while or twice a year. With the goal of keeping data safe, security hygiene involves regular back-ups, firewalls, encryption, password management and more. Ongoing employee education is key, as well; make sure staff know about the latest social engineering techniques (especially email) and security best practices.

Covering all the bases

Organizations should make hardening Linux and Windows-based systems a top priority in 2022. And businesses should always prioritize security as they adopt new technology. That means making sure new connections, such as satellite-based communication, are secure before proceeding.

However, you must remember that malicious actors will continue to use tactics that work. You can’t forget about the threats that are currently lurking while preparing for future threats. Safeguarding your networks from both new and current threats necessitates a comprehensive security strategy. Organizations should consider using a security platform built on a cybersecurity mesh architecture with security solutions that work together to combat developing threats, as well as keeping staff current on cyber hygiene and best practices. This holistic approach represents the strongest security posture and best defense against attackers.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...