Linux security and APTs: Identifying threats and reducing risk
Introduction
Think your Linux system is immune to malware? Well, think again. Advanced attack groups have sophisticated PHP rootkits, web shells, exploit code and backdoors designed for Linux. Plus, Linux users are arguably at greater risk when they believe the Linux security stereotype and neglect the importance of mitigations for the threat.
This is one of the reasons why APT groups are increasingly targeting Linux over Windows. While the OS hasn’t experienced the flood of Trojans and viruses that Windows systems have, The Global Research and Analysis Team (GReAT) at Kaspersky shared that Linux still has high appeal for threat actors.
Hands-on threat intel training
Linux usage on the rise, but devices are at risk
The Kaspersky GReAT team observed a significant trend across various countries: many organizations, including IT firms and government entities, use Linux more than Windows. The trend has been fueled by a move to container infrastructure, making it convenient for enterprises to deploy and use Linux. Unfortunately, not much attention is given to securing access to Linux-running devices, which has prompted adversaries to design tools for targeting the OS. Remember, it takes only a few exposed ports and a single vulnerable container for an attacker to enter your network.
GReAT’s analysis indicates that Linux servers are at the greatest risk, but threat actors could also target workstations and network devices. However, researchers emphasized that servers should be the key concern. A successful compromise could not only allow attackers to gain access to the data on those machines but also target connected endpoints running macOS or Windows, helping them infect more devices than their initial objective.
APT groups at the forefront of attacks
According to GReAT, various APT groups have been observed to leverage Linux malware and other Linux-based modules. Interestingly, they are deploying the malware via legitimate tools that are already present on Linux-based devices. This helps them to cover their tracks while they deploy code or run scripts. Below is an advanced persistent threat list featuring some of the hacking groups that have targeted Linux.
Cloud Snooper
Earlier in 2020, SophosLab published a report about a new APT threat actor named Cloud Snooper. Their attack tool is a server-oriented Linux kernel rootkit designed to establish a communication to the Linux server. The kernel driver achieves this by hooking Netfilter traffic control functions to activate firewall-crossing command-and-control (C2) communication. For spying, the attackers utilize an in-band signaling technique where a hidden command script is added in the standard network traffic.
GReAT researchers used the rootkit’s userland companion backdoor Snoopy to identify the threat at scale.
Barium/APT41
Researchers also found another APT group with the goal of manipulating network traffic. Called Barium/APT41, the group mainly targeted gaming firms during the initial years of its existence. Over time, it designed new tools and started attacking more complex targets.
The centerpiece is a Linux malware dubbed MessageTap, which is a “64-bit ELF data miner” loaded initially by an installation script. The Barium team uses it to intercept SMS communication from telecoms’ infrastructure.
FireEye reported that this malware was deployed on telecoms’ SMS gateway systems to create a surveillance grid.
Equation
GReAT’s researchers discovered that the sophisticated APT group Equation began utilizing its POSIX-compliant codebase to target Linux-based platforms. They identified the DOUBLEFANTASY Linux malware while it was still in the early stage. This module gathers system data and credentials to provide generic access to a Linux computer.
Researchers suggested that the malware could be used as a ploy in the infection life cycle for more dangerous later-stage implants. However, they weren’t able to identify any during the analysis.
Turla
This APT group, like other threat actors, has refined its toolset to include Linux-targeting capabilities. Their arsenal includes a stealth backdoor (called Penguin Turla) that doesn’t require admin or root privileges. An attacker with limited access to a Linux system can use it to run commands and intercept incoming packets while remaining hidden. It’s one of the most challenging to uncover, especially if deployed on a compromised server.
GReAT researchers stated that the most concerning thing about Linux malware is its ability to hide on servers (and then show up later). As Linux users rarely focus on system updates or installing antivirus software, the modules have a good chance of escaping detection and penetrating the devices.
How to minimize your APT security risks
Fortunately, researchers have some much-needed advice for making Linux devices more secure against APT threats. Here are some of the steps they recommend:
- Keep a list of trusted software sources and avoid installing apps from unofficial stores.
- Configure your firewall from the Linux distributive effectively to store network activity and block idle ports.
- Don’t fall for installation methods involving commands such as curl https://install-url | sudo bash. They can be harmful to your device.
- Make sure to set up automatic updates for your Linux security software and avoid unencrypted channels for software updates.
- Evaluate network settings and any unnecessary programs from the network.
- Leverage key-based SSH-authentication and passwords to protect keys.
- Set up two-factor authentication for SSH sessions and keep sensitive keys on third-party token devices.
- Protect Linux hardware from malicious insiders by using full disk encryption and placing tamper-evident security tape on the crucial systems.
- Perform system audits and study logs for indicators of compromise.
- Use dedicated Linux security tools like Integrated Endpoint Security. Such tools offer network and web safeguards to identify network attacks, phishing and malicious sites, as well as other Linux security features such as device control to help users define rules for data transfers.
Hands-on threat intel training
Conclusion
Organizations have long relied on Linux as an OS capable of supporting the daily tasks of enterprises. That, coupled with the misconception about Linux security, makes the OS a viable target for different attack groups. Rather than neglecting the reality of APT attacks, make sure to take the steps needed to increase the defense mechanisms of your Linux devices. For the best results, start seeing Linux security as a practice that needs to be integrated into your company’s DNA.
Sources
How invulnerable is Linux?, Kaspersky Daily
The “Cloud Snooper” malware that sneaks into your Linux servers, Naked Security
In this Series
- Linux security and APTs: Identifying threats and reducing risk
- Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
- Dependency confusion: Compromising the supply chain
- BendyBear: A shellcode attack used for cyberespionage
- ATP group MontysThree uses MT3 toolset in industrial cyberespionage
- BlackBerry exposes threat actor group BAHAMUT: Cyberespionage, phishing and other APTs
- Top 9 cybercrime tactics, techniques and trends in 2020: A recap
- KashmirBlack botnet targets WordPress, Joomla and other popular CMS platforms
- BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group
- Top 6 ransomware strains to watch out for in 2020
- 2020 Verizon data breach investigations report: Summary and key findings for security professionals
- How hackers use CAPTCHA to evade automated detection
- The State of Ransomware 2020: Key findings from Sophos & Malwarebytes
- Dark web fraud: How-to guides make cybercrime too easy
- Top 6 malware strains to watch out for in 2020
- Top Cybersecurity Predictions for 2020
- Malware spotlight: What is click fraud?
- What does dark web monitoring really do?
- ThreatMetrix Cybercrime Report: An interview
- Are dark web monitoring services worth it?
- Cybercrime and the underground market [Updated 2019]
- Verizon DBIR 2019 analysis
- Common causes of large breaches (Q1 2019)
- The Magecart Cybercrime Group Is Threatening E-Commerce Websites Worldwide
- Russian Cyberspies Target 2018 U.S. Midterm Elections
- The Increasing Threat of Banking Trojans and Cryptojacking
- Leaders’ Meetings: A Privileged Target for Hackers
- Fraud as a Service (FaaS): Everything You Need to Know
- All about SamSam Ransomware
- The Decline of Ransomware and the Rise of Cryptocurrency Mining Malware
- Mechanics Behind Ransomware-as-a-Service
- The Art of Fileless Malware
- ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS
- Which Are the Most Exploited Flaws by Cybercriminal Organizations?
- 5 New Threats Every Organization Should be Prepared for in 2018
- Memcrashed: The Dangerous Trend Behind the Biggest DDoS Attack Ever
- Open source threat intelligence tools & techniques
- Global Cost of Cybercrime on the Rise
- An Enterprise Guide to Using Threat Intelligence for Cyber Defense
- The Five Largest Ransomware Attacks of 2017
- Intellectual Property Crimes in the Dark Web
- Top 5 Smartest Malware Programs
- Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks?
- Vault 7 Leaks: Inside the CIA's Secret Kingdom (July-August 07)
- DragonFly 2.0: The Alleged Nation-State Actor Hits the Energy Sector Again
- Russian APT Groups Continue Their Stealthy Operations
- Massive Petya Attack: Cybercrime or Information Warfare?
- SAP SECURITY FOR CISO: SAP Attacks and Incidents
- Role of Threat Intelligence in Business World
- WikiLeaks Vault 7 Data Leak: Another Earthquake in the Intelligence Community
- Past and Present Iran-linked Cyber-Espionage Operations
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Threat Intelligence
Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
Threat Intelligence
Threat Intelligence
Threat Intelligence
ATP group MontysThree uses MT3 toolset in industrial cyberespionage