Why we Should be Paying More Attention to Linux Threats

In a previous post we wrote for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), we discussed the emergence of Linux-based threats.

This threat ecosystem is heavily concentrated with financial driven crypto-miners and DDoS botnet tools which primarily target vulnerable Linux servers. In addition, more sophisticated threats utilizing rare evasion techniques exist within the Linux platform, evidenced by the recent discoveries of HiddenWasp, and the QNAPCrypt ransomware campaigns targeting Linux-based file storage systems (NAS servers).

Why Linux?
In the anti-virus industry, a large emphasis is placed on protecting Windows endpoints, and rightfully so—Windows desktop users comprise approximately 87% of the total desktop market share, in comparison to the 2% market share held by Linux desktop users. Because of this disparity, and the fact that we rarely see malware targeting Linux end users, some security professionals argue that Linux is the safest and most secure operating system.

However, when discussing threats to the Linux platform, we must understand that Linux desktop usage is a very small piece to the puzzle. Linux makes up about 70% of the web server market share, and according to CBT Nuggets, 90% of all cloud servers. In a 2018 article, ZDNet reported that Linux is the most popular operating system on Microsoft’s Azure Cloud.

The Predominance of Linux Servers on the Cloud
In recent years, there has been a rapid growth in modern, cloud-based infrastructure. Linux has emerged as the predominant choice for cloud computing for two reasons:

1. Servers in the cloud are cheaper to develop through Linux. Linux is an open-source ecosystem, which means it can be downloaded for free. A developer that wants to create a Windows-based cloud server has to purchase a license from Microsoft.
2. Linux is more convenient for developers. Many best practices in software development today, such as creating containers and new technology, are designed to work on the Linux operating system.

Reasons for Low Detection Rates
The quick migration to the cloud, coupled with a lack of awareness into Linux instances and the threats that target these systems, have contributed to the low detection rates seen in the vast majority of security vendors.

Other contributing factors include:

• Focus on Windows endpoints. In general, there are not many Linux protection systems, and as a result the evasion techniques are rudimentary in nature. The majority of security solutions are focused on protecting Windows environments—1) because Windows holds the majority of the desktop market share, and 2) since the cloud is a relatively new development. In addition, security vendors try to adapt their Windows tools to fit the Linux platform, but Linux is very different. As a result, these solutions are not as effective at detecting threats as they are in the Windows domain. Organizations require a tailored solution for Linux, not an adapted Windows technology.
• Lack of visibility. There is a lack of visibility into Linux instances, which makes gathering information about Linux malware more difficult.
• Lack of research. A lack of visibility leads to a lack of research being published about Linux malware, meaning we don’t know enough about the threats that reside in the Linux ecosystem. More importantly, we don’t know how to properly mitigate them.
• Lack of techniques. The lack of visibility and research into Linux threats contributes to a lack of mitigation techniques being developed. Since there is not enough research being published about Linux malware, we lack critical data such as IOCs which can enable us as defenders to better understand, investigate, and tailor our response to Linux threats.

Big picture. For enterprises that host their data on the cloud, there is a strong possibility that they are using a Linux server. Without proper detection and response mechanisms in place, organizations’ cloud infrastructures can be exposed, making them more vulnerable to data breaches.

The Importance of Code Reuse Detection
In an open-source ecosystem like Linux, there are large amounts of publicly available code that can be quickly copied and reused by adversaries in order to produce their own malware. In the case of HiddenWasp, the authors behind the malware reused large portions of code from open-source Mirai and the Azazel rootkit. While Mirai is not a highly complex malware, its code was previously leaked in 2016, and we often see the code being reused by attackers to deploy their own instances of Mirai, especially within the Linux platform.

In the world of software development, developers are incentivized to reuse code. Reusing code brings tools to market faster. The same principle applies to malware authors. Especially on the Linux platform, where detection rates have been consistently low, attackers have become less concerned about implementing excessive evasion techniques. Even when the attackers reuse extensive amounts of code, threats have relatively managed to stay undetected.

The majority of cyber attacks, whether they are targeting Linux or Windows systems, contain code from previous threats. As defenders of these environments, it’s critical to analyze the binary code that is being used in these attacks. By identifying and then indexing an attacker’s code, defenders can detect any future variant of the threat that uses even the smallest amounts of the same code.

This code reuse detection approach, which we call GeneticMalware Analysis, is particularly relevant for detecting and classifying Linux threats, because as we saw in the case of HiddenWasp and Mirai, Linux malware authors will reuse code.

In another example, an Intezer Analyze community user recently detected a GonnaCry ransomware sample. GonnaCry is an open-source ransomware designed for the Linux platform. GonnaCry’s source code is downloaded from GitHub and utilized by attackers to infect vulnerable Linux endpoints, by encrypting their file systems. At the time of detection, this sample had 0/55 detections in VirusTotal. However, the sample was immediately flagged in our system because it shared 453 genes, or over 47% of its code, with previous instances of the GonnaCry ransomware.

Additional Mitigation Recommendations
In addition to adopting a Genetic Malware Analysis approach, organizations can implement the following security best practices in order to mitigate the cyber threats targeting Linux-based systems:

1. Keep your systems patched and updated across all Linux servers and devices.
2. Ensure signature-based detection solutions are updated, in order to keep up with the different, evolving threats.
3. Secure SSH login with a key. The victims of the QNAPCrypt ransomware campaigns were compromised by brute force techniques. For remote control standpoint with SSH login, remove the option to login with credentials—otherwise you could be the victim of a brute force attack. It’s much safer to login via an SSH key.
4. Perform a routine review of important system files. It’s important to remember that once installed on a server or device, malware will likely attempt to achieve persistence. In Linux servers especially, it’s crucial to look at the different suspicious cron jobs or systemV, systemd initizliation scripts and services.
5. Disable root accounts. The root account has access to all files and commands on a Linux system, with full read, write and execute permissions. Errors by the root user can have critical implications on the normal operation of a system. This article from TecMint explains four ways to disable the root account in Linux.

Conclusion
The world of IT is quickly changing as more organizations host their data and files on the cloud. Linux, in particular, has emerged as the popular choice for cloud servers, even among Microsoft cloud computing services. Since Linux comprises nearly 90% of the cloud server market share, the majority of enterprises that host their data on the cloud are likely operating from a Linux server.

While the majority of security solutions are focused on detecting threats residing in Windows, particularly on Windows desktops, a greater emphasis needs to be placed on spreading awareness about Linux machines and threats. As defenders, we lack research and critical IOCs that can help us to better comprehend, detect and respond to Linux threats, more consistently, and on a greater scale.

As evidenced by the recent discoveries of HiddenWasp and QNAPCrypt, with improved visibility and detection rates we can expect to see new and advanced malware being created to target the Linux platform. However, we must also remember that Linux is an open-source ecosystem, where attackers will continue to reuse publicly available code to deploy new instances of malware. This is what makes indexing code seen in previous attacks so important for detecting future Linux threats.

By applying a Genetic Malware Analysis approach, and adhering to the mitigation recommendations outlined in this blog, users of Linux-based systems—particularly organizations hosting their data on Linux cloud servers—can better protect themselves from the threats posed by this emerging landscape.

Additional Resources:

• Webinar replay: For more info on the types of threats you might find in the Linux threat landscape, watch the recording to our webinar: https://m.youtube.com/watch?v=c2IChPlYgHE
• EvilGnome: Rare Malware Spying on Linux Desktop Users: Intezer researcher Paul Litvak recently identified a backdoor implant spying on Linux desktop users. This discovery is interesting in that Linux desktop makes up only about 2% of the total desktop market share. More notably, the toolset belongs to an alleged Russian APT, known as Gamaredon Group. EvilGnome uses functionalities rarely seen in Linux malware, such as taking desktop screenshots, stealing files, and capturing audio recording from the user’s microphone.
• Detect Linux and Windows threats: Take advantage of the free Intezer Analyze community edition. Thousands of users leverage our community version to detect and classify advanced cyber threats. Sign up at: https://analyze.intezer.com

Intezer

Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work.