Compared to other operating systems, especially Windows, Linux has been the choice of many companies for their strategically important servers and systems for several years. This is because users find Linux to be more reliable and less prone to cyber threats.

However, this reliability only affects massive malware attacks as Linux servers are no longer reassuring when it comes to Advanced Persistent Threats (APT). Indeed, Kaspersky researchers have observed a trend in which more and more threat actors are targeting Linux-based devices. At the same time, they are developing more Linux-based tools.

Since around 2002, malware for Linux or certain Linux-based modules has been used by many players in the APT. The latter are well-known threat groups like Barium, Sofacy, Lamberts and Equation, as well as newer groups like LightSpy from TwoSail Junk and WellMess. The various arsenals and Linux tools available have enabled these threat actors to perform operations more efficiently and on a larger scale.

While large corporations and government agencies in several countries have increasingly embraced Linux as their desktop environment, threat actors have developed malware for this platform instead. As one of the less popular systems, Linux is unlikely to be a target for malware. On the other hand, there are additional risks related to cybersecurity. While it is rare for target attacks to be launched against Linux-based systems, malware has certainly been developed for these systems. These programs include webshells, backdoors or rootkits.

Some people were mistaken about the low number of attacks. In particular, they ignore the fact that attacks on a server running Linux generally have serious consequences. This gives attackers the opportunity to access the infected device and terminals under Windows or MacOS. Once these endpoints are reached, these attackers can also benefit from even better access to the device without being noticed.

For example, the Russian-speaking group Turla, known for their secret exfiltration tactics. This group has made significant changes to their tools over the years. One of them is the use of backdoors on Linux. According to Kaspersky’s report, a brand new modification of Linux Penguin_x64’s backdoors reported in early 2020 infected dozens of servers in Europe and the US. The last one was reported in July 2020.

In addition to Turla, there is also the APT group Lazarus, which further diversifies its tools and develops non-Windows malware. During his OperationAppleJeus and TangoDaiwbo campaigns in June 2020, Lazarus used a cross-platform framework called MATA to carry out financial attacks as well as espionage attacks.

The trend towards improving APT tools has been noted several times in the past by our experts, and Linux-based tools are no exception. To secure their systems, IT and security departments are using Linux more than ever before. Threat actors are responding to this development by developing sophisticated tools that can penetrate these systems. We encourage cybersecurity professionals to be aware of this trend and take additional measures to protect their servers and workstations, said YuryNamestnikov, head of the Global Research and Analysis Team (GReAT) at Kaspersky in Russia.

Kaspersky researchers have recommended that some measures be taken to prevent a known hacker from falling victim to a targeted attack on Linux or not. In particular, users should:

Keep a list of reliable software sources and avoid using unencrypted update channels. Do not run binaries and scripts from untrusted sources. Make sure the update process is efficient and configure automatic security updates. Spend time properly configuring the firewall, ensuring network activity is recorded, unused ports are blocked, and network footprint is minimized. Use SSH authentication by key and protect the keys with passwords. Use two-factor authentication (2FA) and store confidential keys on external token devices (e.g. Yubikey). Use an out-of-band network socket to independently monitor and analyze the network communication of the Linux systems. Maintaining the integrity of the system’s executable files and periodically reviewing changes to the configuration files; Be prepared for physical or insider attacks: use full disk encryption, secure and reliable primers, and place tamper-proof security tapes on critical hardware. Examine the system and check the logs for signs of an attack. Perform penetration tests for the Linux installation; Use a dedicated security solution with Linux protection, e.g. B. Integrated endpoint security. This solution provides web and network protection to detect phishing, malicious websites, and network attacks, as well as device control so that users can set rules for the transmission of data to other devices. .

Source: Kaspersky

