When it comes to security, there are some low-lying threats that can cause big problems. One important example is malware designed to exploit Linux systems, often in the form of executable and linkable format (ELF) binaries. And, as the Linux footprint continues to expand, so, too, will attacks against it.
Researchers from FortiGuard Labs noted a doubling in the occurrence of ELF and other Linux malware detections during 2021 and a quadrupling of the rate of new Linux malware signatures from the first quarter of last year to the fourth quarter. That's not exactly a meteoric rise, but it's not something to ignore, either.
The Growing Threat to Linux
This kind of growth and spread in variants suggests that Linux malware is gaining prominence in cyber adversaries' arsenal. The most common ELF variant is tied to Muhstik, malware that turns infected machines into bots and is known to exploit vulnerabilities for propagation. One notable Muhstik exploit involved Atlassian Confluence, a popular Web-based corporate team workspace. FortiGuard Labs researchers noted multiple malicious actors targeting this vulnerability, with the goal of downloading a malicious payload that would install a backdoor or miner in a user's network.
FortiGuard researchers also saw botnet activity related to a new variant of RedXOR, malware that targets Linux systems for data exfiltration (and that leapt into our top 10 list last October). Meanwhile, a malicious implementation of the Beacon feature of Cobalt Strike called Vermilion Strike targets Linux systems with remote access capabilities. Log4j is another example of an attack where Linux binaries were used to capitalize on the opportunity of targeting low-lying threats such as Linux.
As the use and integration of Linux expands, we can expect more attacks to surface. For example, cyberattackers are likely to see opportunity in Microsoft's active integration of Windows Subsystem for Linux — a compatibility layer used for running Linux binary executables natively on Windows.
Addressing the Threat
What does all this mean? For one thing, it means the Linux attack surface has been expanded to the network edge. Securing your organization against this new wave of threats requires an integrated approach to security. Point products need to be replaced with security devices designed to operate as a unified solution to consistently protect every user, device, and application with policies that can follow data and transactions. This approach also enables centralized management to ensure that policies are consistently enforced, configurations and updates are promptly delivered, and suspicious events are centrally collected and correlated.
Organizations must act with a sense of urgency to harden their Linux systems and operational technology environments. This includes adding tools designed to protect, detect, and respond to threats in real time, as well as taking a security-first approach before adopting new products and technologies. In addition, behavioral analytics should be deployed to discover and block attacks during initial reconnaissance and probing efforts.
Linux runs the back-end systems of many networks and container-based solutions for Internet of Things devices and mission-critical applications. Until recently, Linux has been largely ignored by cybercriminals, but as the Linux footprint expands, so will attacks against it. Organizations must act now — before this threat becomes a significant problem. Action involves establishing an integrated security approach that extends all the way to the network edge for rapid, early detection and remediation.