Linux-based systems targeted with ransomware and cryptojacking

Thanks to its use on many cloud servers, Linux is a core part of the digital infrastructure. It’s not surprising therefore that it’s increasingly being targeted by attacks.

A new report from the Threat Analysis Unit at VMware finds malware targeting Linux-based operating systems is increasing in both volume and complexity amid a rapidly changing threat landscape,

“Cybercriminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible,” says Giovanni Vigna, senior director of threat intelligence at VMware. “Rather than infecting an endpoint and then navigating to a higher value target, cybercriminals have discovered that compromising a single server can deliver the massive payoff and access they’re looking for. Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data. Unfortunately, current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks on Linux-based operating systems.”

Remote access tools are often an attacker’s weapon of choice and one of the primary ones being used is the commercial pen testing tool Cobalt Strike. The report estimates more than half of Cobalt Strike users may be cybercriminals, or at least using Cobalt Strike illicitly, with cracked and leaked Cobalt Strike customer IDs running at 56 percent.

Linux-based ransomware is evolving to target host images used to spin workloads in virtualized environments. Cryptojacking is also an issue, with cybercriminals either including wallet-stealing functionality in malware or monetizing stolen CPU cycles to successfully mine cryptocurrencies.

“Since we conducted our analysis, even more ransomware families were observed gravitating to Linux-based malware, with the potential for additional attacks that could leverage the Log4j vulnerabilities,” says Brian Baskin, manager of threat research at VMware. “The findings in this
report can be used to better understand the nature of Linux-based malware and mitigate the growing threat that ransomware, cryptomining, and RATs have on multi-cloud environments. As attacks targeting the cloud continue to evolve, organizations should adopt a Zero Trust approach to embed security throughout their infrastructure and systematically address the threat vectors that make up their attack surface.”

You can get the full report from the VMware site.

Image credit: Spectral-Design / Shutterstock

Author: Martha Meyer