Hackers target outdated versions of Linux in the cloud

Coinminers, web shells and ransomware, top malware aiming at Linux, report finds

Hackers are targeting old versions of Linux running in the cloud to take advantage of outdated software with unpatched vulnerabilities.

According to Trend Micro’s Linux Threat Report 2021 1H: Pervasive Security Issues in the Cloud, the cyber security firm detected over 15 million attacks in the first six months of 2021. The firm said that detections arose from systems running end-of-life versions of Linux distributions. Forty-four percent of the detections were from RHEL 7.8, followed by CentOS 6.4, which had almost 17% of the detections, and RHEL 7.7 with more than 10%.

The research looked at the top malware families affecting Linux servers during that six-month period. Web shells made up 29.61% of threats to Linux servers, with coinminers making up 29.45% of attacks, ransomware at 17.17.%, and PHP trojans at 14.34%.

Researchers said an interesting observation here is the high prevalence of web shells. The most detected web shell families are Backdoor.PHP.WEBSHELL.SBJKRW, Backdoor.PHP.WEBSHELL.SMMR; and cryptocurrency miners, where Coinminer.Linux.MALXMR.SMDSL64 and Coinminer.Linux.MALXMR.PUWELQ are the most prevalent families.

“Given that the cloud holds a seemingly endless amount of computing power, hackers have a clear motive in stealing computing resources to run their cryptocurrency mining activities. It’s also important to note that cryptocurrency miners have been plaguing container environments in recent years,” said researchers.

Related Resource

Cloud compute and storage performance analysis

Benchmark for IONOS Cloud Compute Engine

Title on a white background - whitepaper from IONOSDownload now

Researchers also saw ransomware as a prevalent Linux threat, with DoppelPaymer — a modern ransomware family that used double-extortion tactics — being the most prevalent family based on the company’s data. Researchers also saw other ransomware variants targeting Linux systems, such as RansomExx, DarkRadiation, and even DarkSide.

Even though there are an estimated 20,000 vulnerabilities reported in 2020 alone — many of which affect Linux or the Linux application stack — the report found only 200 of those vulnerabilities have publicly known exploits and were observed. Striving to prioritize the patching of these vulnerabilities should be baked into any organization's security practices, according to researchers.

“The applications affected by these 200 vulnerabilities have a few clear targets, including WordPress or Apache Struts, but services such as Atlassian JIRA, dnsmasq, and Alibaba Nacos aren't the first ones a security expert would automatically assume to be in attackers’ crosshairs,” researchers said.

Researchers said malicious actors would look for every opportunity to compromise the platform for financial gain — whether by developing and launching malware, exploiting vulnerabilities, or taking advantage of misconfigurations.

“Keeping Linux, the bedrock of critical systems and services, protected against threats can be achieved using a multilayered security approach: maximizing built-in tools and trusted commercial or free third-party security control,” they added.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Dual citizen sentenced to 11 years for role in North Korean crypto hacking scheme
hacking

Dual citizen sentenced to 11 years for role in North Korean crypto hacking scheme

10 Sep 2021
IoT devices are more vulnerable than ever
Internet of Things (IoT)

IoT devices are more vulnerable than ever

10 Sep 2021
DOJ extradites Ukrainian man who used a botnet to decrypt login credentials
botnets

DOJ extradites Ukrainian man who used a botnet to decrypt login credentials

9 Sep 2021
Hackers use open source tools to steal usernames and passwords
open source

Hackers use open source tools to steal usernames and passwords

8 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021
Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition
mergers and acquisitions

Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition

14 Sep 2021