With Linux frequently used as the basis for cloud services, virtual-machine hosts, and container-based infrastructure, attackers have increasingly targeted Linux environments with sophisticated exploits and malware.
New analysis, based on telemetry collected from attacks on VMware customers, shows an increasing number of ransomware programs targeting Linux hosts to infect virtual-machine images or containers; more use of cryptojacking to monetize illicit access; and more than 14,000 instances of Cobalt Strike — 56% of which are pirated copies used by criminals or thrifty companies that have not bought licenses. The red-team tool has become so popular as a way to manage compromised machines that underground developers created their own protocol-compatible version of the Windows program for Linux, VMware states in a newly released report, "Exposing Malware in Linux-based Multi-Cloud Environments."
While attackers may not be shifting from Windows to Linux, the level of activity shows that they are increasingly targeting Linux as well, says Brian Baskin, lead for VMWare's Threat Analysis Unit (TAU) group.
"Most research has been focused on the Windows side, but we are now seeing an increase in attacks on the Linux side and especially against multicloud infrastructure," he says. "Most of the cases we see involve misconfiguration at the hypervisor level or, at the server level, shared accounts, shared passwords, and poorly configured role-based access controls."
Initial access is often not through exploitation but through credential theft. While remote code execution is the second most popular way to breach such systems — such as exploitation of the prevalent Log4j vulnerabilities — stolen credentials often give attackers more time to explore inside a victim's network, says Giovanni Vigna, senior director of threat intelligence at VMware.
"The main attack surface area is still stolen credentials, which has the advantage that it takes a longer time to understand that a compromise has happened," he says. "The login could seem absolutely normal and an attacker gets access to resources, but it's not until things start going in the wrong direction that the breach is actually identified."
Following initial access, however, a variety of Linux-based malware is brought to bear. From ransomware, to crypto-miners, to implants from remote access management software, such as Cobalt Strike, attackers have developed a broad range of tools with which to compromise and monetize compromised Linux systems.
The BlackMatter ransomware program is a variant of the program that was used against petrochemical distribution network Colonial Pipeline, while HelloKitty was originally a Windows-based version that expanded into the Linux world and is best known for its use in the attack on CD Projekt Red, makers of the Cyberpunk 2077 video game.
Other variants targeting Linux, and specifically Linux servers that host workloads, have become popular as well, according to the report.
"Ransomware has recently evolved to target the Linux host images used to spin up workloads in virtualized environments," the report states. "This new and worrisome development shows how attackers look for the most valuable assets in cloud environments to inflict the maximum damage on their target."
The Cybersecurity and Infrastructure Security Agency (CISA) and its international partners also note the trend in a Feb. 9 advisory warning of specific ransomware threats. Among the most significant shifts seen in 2021 were the use of phishing to gain credentials, exploiting systems with insecure configurations via the remote desktop protocol (RDP), and attacks on cloud infrastructure, the international cybersecurity agencies stated.
"Ransomware developers targeted cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software," the alert states. "Ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data."
Attackers also are starting to use more sophisticated tools to manage their attacks on Linux infrastructure. Cobalt Strike is a Windows-focused attack management system used by red teams and penetration testers, but attackers are now using it in Linux campaigns, VMware's report states.
"CobaltStrike is becoming more prevalent because it is the most mature and formalized C2 [command-and-control] infrastructure out there," Baskin adds. "We are seeing it in increased usage by criminals, but we also see additional usage by some businesses [that] perhaps cannot afford a license."
The VMware investigation into Cobalt Strike servers found 14,000 servers by downloading the implants from the staging server and then deconstructing the information in the file to gather more specific information. The group found that one in six versions of the Cobalt Strike program had a customer ID of 0, indicating a trial version, but those are most likely cracked. Four other custom IDs accounted for nearly 40% of the remaining Cobalt Strike servers, indicating that protection on those instances had also been compromised.