Linux is widely considered to be a powerful operating system that is well-known for its flexibility and open-source nature. According to recent statistics, Linux runs on all the Top 500 Supercomputers and over 50% of the top websites used globally. Linux also runs on 82% of the smartphones and 9 of the top 10 cloud providers.
This popularity comes with consequences, however. Linux has attracted a lot of security-related threats and risks since its inception. Additionally, the migration of businesses and enterprises to the cloud has further drawn cybercriminals’ attention to Linux.
In 2021, Cyble Research Labs noticed a spike of 35% in malware targeting Linux-based platforms. We also observed a gradual increase in the number of new Linux malware families as shown below.
The new malware families identified in 2021 include:
- New Linux Ransomware such as Lockbit, Avoslocker, DarkRadiation
- New RAT families: CronRat, SysJoker, etc
Cybercriminals are particularly attracted to Linux-powered IoT devices which are then utilized to conduct future attacks. There are different variations of Linux-based malware such as Ransomware, crypto-miners, botnets, etc. The motivation for such attacks is typically monetary gain, espionage, sabotage, and hacktivism.
Ransomware attacks have a significant impact even amongst other malware variants.
Ransomware targeting Linux
A ransomware strike can have disastrous effects for any victim, including data loss/leak, reputational damage, recovery costs, and substantial downtime due to inaccessible systems and data.
Currently, over 80% of ransomware attacks target Windows systems. Recently, however, we have observed that malicious actors are porting this Windows-based Ransomware to the Linux platform. In the section below, we examine the ransomware that targets Linux.
The Lockbit threat group announced a Linux version of Lockbit 1.0, which targets VMware ESXi, in October 2021. The Hypervisor ESXi allows managing multiple Virtual Machines (VMs), which also helps share resources such as storage networks among these VMs. This attracts potential attackers to encrypt the virtual hard drives of these VMs, potentially disrupting the business.
Lockbit Linux 1.0 uses a combination of Advanced Encryption Standard (AES) and Elliptic Curve Cryptography (ECC) algorithms to encrypt data.
Lockbit Ransomware exfiltrates all files and then encrypts them. The exfiltrated data is then shared in the ransomware group’s forum if the ransom is not paid in the given time.
BlackMatter ransomware group emerged in July 2021, and they target companies across the world. In 2021, the group also released a Linux version of their encryptor, which targets the VMware ESXi servers. BlackMatter Ransomware abuses ESXCLI commands to collect information about the ESXi servers and any VMs running on them.
Avoslocker is another ransomware group that has added support for encrypting Linux systems, specifically ESXi servers. Upon successful infection, the Avoslocker checks for the presence of ESXi-based VMs, Virtual Machine File System (VMFS) files and kills all the virtual machines running in the server.
Figure 2 shows the command used by Avoslocker to kill virtual machines.
REvil Ransomware is a popular ransomware group that has also released Linux versions and actively targets VMware ESXi servers. In REvil’s Linux variant, we noticed that it also targets Network Attached Systems (NAS) devices based on Linux, which allows sharing storage among a network.
DarkRadiation is one of the recent ransomware variants which is developed using Bash scripts. The Ransomware is also found to be using a Telegram API for Command and Control (C&C) communications. This ransomware primarily targets RedHat and Debian-based Linux distributions.
Several ransomware groups such as Babuk, Hive, and HelloKitty have rewritten their encryptors in Golang. We also noticed new ransomware variants being developed using Golang called DECAF. Golang is used to make this ransomware function across multiple platforms.
Ransomware families such as Noberus and BlackCat have released a Rust-based variant. Rust is a programming language that is more efficient than similar programming languages such as C & C++. It also works across different operating systems such as Windows and Linux.
Crypto-miners and Botnets
Cybercriminals use crypto mining-malware (coinminers) to utilize victims’ hardware and resources to mine cryptocurrencies for the TAs. This type of malware can exploit unpatched vulnerabilities, brute-force attacks, etc.
Cybercriminals commonly exploit a vulnerability as the initial vector to gain execution privilege in the publicly available device and spread to other machines in the compromised network.
We also noticed that these malware families utilize phishing emails, USB devices, and brute force as a spreading mechanism.
Cyble Research Labs noticed a spike in coinminer malware since Q4 2021 because of the gradual recovery of Bitcoin and other cryptocurrencies’ valuation, which saw a fall in Q4 2021. We observed this information from our Linux-based sensors deployed globally. The statistics are shown in Figure 3.
Amongst the many observations, we noticed malware performing botnet as well as crypto mining activities. Lemon-Duck is one such example of malware that has both botnet and crypto-mining capabilities. This is a cross-platform malware that targets both Windows and Linux.
In a Linux system, LemonDuck performs brute force attacks on SSH Login enabled Linux systems or exploits a YARN vulnerability with no associated CVE number.
In the event that the attack is successful. The malware downloads and executes shellcode. The shellcode then creates cronjobs to establish persistence, in addition to the mining behavior. LemonDuck also steals credit card details, disables security features, and downloads other malicious payloads such as DoejoCrypt ransomware, etc.
Mirai and other IoT botnets
As the number of IoT household devices grows, so do the number and complexity of the attacks targeting these devices. Mirai botnet was first discovered in 2016, which poses a severe threat to IoT and Linux devices.
Mirai botnet utilizes infected devices to launch DDOS attacks on the operator’s targets. Mirai botnet is also known for exploiting Log4J, CVE-2021-44228, a Remote Code Execution vulnerability, to infect new victims.
We also observed that Mirai utilizes these infected devices to perform click fraud and send spam emails.
Figure 4 depicts the delivery pattern used by Mirai variants to deliver its botnet payload by exploiting the GPON Command Injection vulnerability.
Cyble Research Labs constantly monitors threats by Mirai and other botnets to Linux and IoT devices using our honeypot clusters. The figure below shows recent activity on Mirai.
We also observed threats by other IoT botnets, including Hajime, Mozi, etc.
Mozi is a Peer-to-Peer (P2P) botnet that mainly infects IoT devices to perform DDoS attacks, data exfiltration, and command and payload execution. This malware primarily targets network gateways and Digital Video Recorders (DVRs). By infecting these gateways, the malware performs Man-in-the-Middle (MITM) attacks via DNS spoofing and HTTP hijacking. Mozi exploits weak telnet passwords and unpatched IoT vulnerabilities to infect victim devices.
Hajime is also a P2P botnet that acts as a worm on the infected IoT devices. This malware’s primary targets are internet-connected DVRs, routers, and web cameras. Hajime propagates itself by performing dictionary attacks, exploiting unpatched vulnerabilities etc. Hajime malware communicates with other infected IoT devices through the P2P-based bot network, which is also used to receive commands as instructions.
Hajime’s capabilities include reconnaissance of the victim’s network, posing as legit processes, and restricting the device from rebooting or updating. Â
Remote Access Trojans (RATs)
Several RAT families are well-known for their ability to target the Linux platform specifically. CronRAT is one of the latest among these, with fileless execution capabilities.
The malicious code is encoded and stored in the Linux’s cronjob file with a non-existent date. Based on our findings, the CronRAT family was observed targeting e-commerce sites.
CronRAT injects payment skimmers (aka. Magecart) on the e-commerce website’s service side code to steal financial information. The malware communicates with its C&C server using a custom binary protocol.
SysJoker is the most recent RAT family identified in 2022. This is a cross-platform malware written in C++. The malware sample was found in a Linux server of an educational institution. The SysJoker RAT generally enters the victim’s machine posing as a system update and requires the victim’s interaction to infect the device. Upon successfully infecting the system, it provides advanced backdoor capabilities to the attacker.
SysJoker can communicate with four different C&C servers, which is one of the distinguishing features that separates this RAT from others.
Vulnerabilities
Cyble Research Labs has noticed and reported the increase in the number of vulnerabilities identified and exploited by Threat Actors over the past few years. The figure below shows the trends of vulnerabilities in the Linux platform.
As mentioned before, Mirai botnet variants exploit the latest vulnerabilities, such as Log4J (CVE-2021-44228) and Websvn RCE (CVE-2021-32305. We also observed that the Log4J vulnerability is also used by ransomware such as TellYouThePass Cryptor etc., as the initial vector to infect machines.
IoT-based botnets are very popular for exploiting both old and new vulnerabilities as the first vector to infect the device. We also observed an increase of 40% in IoT vulnerabilities.
We have listed the IoT Vulnerabilities targeted in the wild (based on our sensors)
| CVE | Vulnerability | Affected devices/products |
| CVE-2018-10561 / CVE-2018-10562 | GPON Routers Authentication Bypass and Command Injection vulnerabilities | GPON Routers |
| CVE-2018-20062 | ThinkPHP Remote Code Execution Vulnerability | ThinkPHP Remote Code Execution Vulnerability |
| CVE-2020-10173 | Multiple Authenticated Command injection vulnerability in Comtrend VR-3033 routers | Comtrend VR-3033 Routers |
| CVE-2020-8958 | Guangzhou 1GE ONU V2801RW and OptiLink ONT1GEW GPON RCE via target_addr field in boaform/admin/formPing or boaform/admin/formTracert | Guangzhou 1GE ONU V2801RW and OptiLink ONT1GEW GPON |
| CVE-2021-20090 / CVE-2021-20091 | Path traversal vulnerability and Configuration File Injection | Buffalo Routers, along with other models from multiple vendors |
| CVE-2021-35395 | Realtek AP-Router SDK Vulnerability | Realtek SDK |
| CVE-2021-1498 (exploited by Mirai) | RCE vulnerability in the web-based management interface of Cisco HyperFlex HX | Cisco HyperFlex HX |
| CVE-2021-31755 (exploited by Mirai) | RCE Vulnerability in the firmware of Tenda Router | Tenda Router AC11 |
Conclusion
Linux is a popular operating system for many mission-critical applications. Because of its popularity and broad user base, it is critical to understand the threats affecting the Linux platform to provide adequate defense measures against such cyberattacks.
The data and real-world attack examples highlighted in this article are intended to give the reader a better understanding of the threats that lurk around Linux systems. Since Linux is an integral part of cloud-based infrastructure and IoT, the security of the platform and its workload must be treated on par with Windows and other operating systems.
Recommendations
- Keep the operating system and installed software in the system and server updated
- Conduct regular backup practices and maintain backups offline or in a separate network.
- Use security solutions available for Linux and IoT devices
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Create and save your passwords with password managers.
- Change all internet-connected devices’ default passwords.
