Cloud Hosting

Many organizations choose Linux for strategically important servers and systems, not least because this operating system is thought to be safer and less prone to cyberthreats than the far more popular Windows operating system. While this is the case for mass malware attacks, it is not so clear cut when it comes to advanced persistent threats (APTs).

Kaspersky researchers have identified a trend where more and more threat actors are executing targeted attacks against Linux-based devices while developing more Linux-focused tools.

Over the past eight years, over a dozen APT actors have been observed to use Linux malware or some Linux-based modules. These include such infamous threat groups as Barium, Sofacy, the Lamberts, and Equation, as well as more recent campaigns such as, LightSpy by TwoSail Junk and WellMess. Diversification of their arsenal with Linux tools enables threat actors to conduct operations more effectively and with wider reach.

How to speed up cybersecurity implementation in industrial organizations

Survey says 3-in-10 active online users in SEA dont prioritize internet security

There is a significant trend in many countries toward using Linux as a desktop environment by big enterprise companies, as well as in governmental entities, that pushes threat actors to develop malware for this platform. The myth that Linux, being a less popular operating system, is unlikely to be targeted by malware, invites additional cybersecurity risks.

Malware

While targeted attacks on Linux-based systems are still uncommon, there is certainly malware designed for them including webshells, backdoors, rootkits and even custom-made exploits. The small number of attacks is misleading as the successful compromise of a server running Linux often leads to significant consequences. These include attackers not only being able to access the infected device, but also endpoints running Windows or macOS, thus providing wider access for attackers which might go unnoticed.

Turla, a prolific Russian-speaking group known for its covert exfiltration tactics, has significantly changed its toolset over the years, including the use of Linux backdoors. A new modification of the Penguin_x64 Linux backdoor, reported earlier in 2020, has according to Kasperskys telemetry, infected dozens of servers in Europe and the United States, as recently as July 2020.

Lazarus

Another example is Lazarus, a Korean-speaking APT group, which continues to diversify its toolset and develop non-Windows malware. Kaspersky recently reported on the multi-platform framework called MATA and in June 2020, researchers analyzed new samples linked to the Lazarus Operation AppleJeus and TangoDaiwbo campaigns, used in financial and espionage attacks. The samples studied included Linux malware.

The trend of enhancing APT toolsets was identified by our experts many times in the past, and Linux-focused tools are no exception. Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems. We advise cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations, said Yury Namestnikov, head of Kasperskys Global Research and Analysis Team (GReAT) in Russia.

In order to avoid falling victim to a targeted attack on Linux by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

Related

See the article here:
APT groups actively target Linux-based workstations and servers - Backend News