Myths about Linux Security.

[Fixxx]

​

Among ordinary users and even IT professionals, there is a common belief in the increased security of Linux-based operating systems compared to the "holey Windows" and "popular macOS". However, as our study has shown, the openness of the source code does not exempt Linux from errors and vulnerabilities that carry security risks. In this article, we will discuss why Linux has become an attractive target for cybercriminals, as well as examine the main threats associated with this operating system.

Linux, which started as a personal project about 50 years ago, is now one of the most powerful operating systems, dominating cloud platforms and servers worldwide. In fact, the use of Linux currently exceeds the use of Windows in Azure, Microsoft's own cloud platform. However, like any software, Linux is not immune to security threats and risks. As everyone moves to the cloud and, therefore, to Linux, it's not surprising that cybercriminals will shift their focus and resources to these environments, including their weaknesses, to gain dishonest advantage. All different types of malware, such as ransomware, cryptocurrency miners, user-mode and kernel-mode rootkits, worms, trojans, backdoors, remote access trojans (RATs) also exist on the Linux platform. The motivation for such attacks remains the same: financial gain, espionage, sabotage, hacktivism or simply the desire to prove that systems can be compromised.

Ransomware needs no introduction. Since cybercriminals have been paid millions of dollars, it's undoubtedly the most successful category of malware in recent times. Given the prevalence of Linux, ransomware attackers consider the operating system a very profitable target. Shell scripts are used for their simplicity. With them, Unix programmers can easily run multiple Linux commands embedded in one file. Shell scripts are interpreted by the shell or command-line interpreter of Linux. Cybercriminals also abuse this tool, which can be found on all UNIX machines. It's easier to deploy a malicious script than to use compiled malware. The popularity of using malicious scripts for Linux attacks is explained by several reasons: They are easy to download as text files. They are smaller in size. They are less likely to be easily detected. They can be created "on the fly". Once these scripts land on the target host, they run in a secure location where they cannot be flagged, for example, in the /tmp folder. Typically, these scripts do not perform any malicious actions on their own, although they connect to a command and control (C&C) server to download malware.

Rootkits are persistent threats that are difficult to detect or observe. The main goal of a rootkit is to keep itself and other malicious threats unnoticed, on the one hand, to administrators, analysts, and users, and on the other hand, not to be detected by scanning tools, forensic analysis and system tools. Rootkits can also open backdoors or use a C&C server to provide the cybercriminal with ways to control and spy on the vulnerable machine.

• Umbreon:

In Linux, when a program calls the printf() function, there are other cascading functions in the same library that can be called subsequently, such as _IO_printf() and vprintf(). All these functions ultimately call the write() system call. An example of this is the Umbreon rootkit, which was discovered several years ago.

• Drovorub:

Fancy Bear, also known as Pawn Storm, Sednit, APT28, Sofacy, and Strontium, is an active cyber espionageorganization that has gained notoriety for foreign and internal espionage, especially in recent years. This group is responsible for a Linux malware family called Drovorub, which can connect to C&C infrastructure, download and upload malicious files, and execute RCE.

• Diamorphine:

Diamorphine is a loadable kernel module (LKM) rootkit used for Linux kernels 2.6.x / 3.x / 4.x / 5.x and ARM64. It's worth mentioning here because it was used in recent attacks in early 2020 by the TeamTNT hacking group. According to Cado Security, cybercriminals used Diamorphine along with a malware strain similar to the Kinsing worm to steal AWS and local credentials, as well as to scan the Internet for misconfigured and open Docker and Kubernetes API servers. Although it's no longer relevant we could not help but mention it as an example.

Let's also give an example:
Identified 15 different vulnerabilities that are either actively exploited in real cyber attacks or already have working exploit codes (PoCs).
Here are these vulnerabilities:

CVE-2017-5638 (CVSS - 10.0) - remote code execution in Apache Struts 2.
CVE-2017-9805 (CVSS - 8.1) - remote code execution in REST XStreamApache Struts 2 plugin.
CVE-2018-7600 (CVSS - 9.8) - remote code execution in the Drupal core.
CVE-2020-14750 (CVSS - 9.8) - remote code execution in Oracle WebLogic Server.
CVE-2020-25213 (CVSS - 10.0) - remote code execution in WordPress File Manager plugin (wp-file-manager).
CVE-2020-17496 (CVSS - 9.8) - remote code execution in vBulletin 'subwidgetConfig'.
CVE-2020-11651 (CVSS - 9.8) - vulnerability in SaltStack Salt authentication process.
CVE-2017-12611 (CVSS - 9.8) - remote code execution in Apache Struts OGNL.
CVE-2017-7657 (CVSS - 9.8) - integer overflow in Eclipse Jetty.
CVE-2021-29441 (CVSS - 9.8) - Alibaba Nacos AuthFilter authentication bypass.
CVE-2020-14179 (CVSS - 5.3) - information disclosure in Atlassian Jira.
CVE-2013-4547 (CVSS - 8.0) - access restriction bypass in Nginx.
CVE-2019-0230 (CVSS - 9.8) - remote code execution in Apache Struts 2.
CVE-2018-11776 (CVSS - 8.1) - remote code execution in Apache Struts OGNL.
CVE-2020-7961 (CVSS - 9.8) - deserialization in Liferay Portal.

The widespread use of Linux and it's use in processing important information make it a very profitable target for cybercriminals. Evidence of this is the growing list of ransomware families targeting Linux and the huge number of vulnerabilities used by cybercriminals to compromise the Linux environment. These Linux-based threats confirm the need to strengthen security, especially for enterprises and organizations using the operating system on critical business platforms.

After studying this material, ask yourself: do you still feel safe working online? Don't rely on the Internet for security advice - ask the experts for help and they will tell you how to properly hide your online presence. Remember: Security requires payment and it's absence will be paid for!