Most organizations prefer Linux for strategically important servers and systems, which they consider to be more secure than the popular Windows operating system. While this is the case with large-scale malware attacks, it is difficult to be precise when it comes to advanced persistent threats (APT). Kaspersky researchers found that a large number of threat groups started targeting Linux-based devices by developing Linux-oriented tools.
Over the past eight years, more than a dozen APTs have been seen using Linux malware and Linux-based modules. These included well-known threat groups such as Barium, Sofacy, Lamberts, and Equation. Recent attacks such as WellMess and LightSpy organized by the group called TwoSail Junk also targeted this operating system. Threat groups can reach more people more effectively by diversifying their weapons with Linux tools.
There is a serious trend among large corporate companies and government agencies to use Linux as a desktop environment. This pushes threat groups to develop malware for this platform. The notion that Linux, a less popular operating system, will not be a target of malware poses new cybersecurity risks. Although targeted attacks against Linux-based systems are not common, there are remote control codes, backdoors, unauthorized access software and even special vulnerabilities designed for this platform. The low number of attacks can be misleading. When Linux-based servers are captured, serious consequences can occur. Attackers can access not only the device they infiltrated, but also endpoints using Windows or macOS. This allows attackers to reach more places without being noticed.
For example, Turla, a group of Russian-speaking people known for their secret data leakage methods, has changed their toolkit over the years, taking advantage of Linux backdoors. A new version of the Linux backdoor, Penguin_x2020, reported in early 64, has affected dozens of servers in Europe and the US as of July 2020.
The APT group called Lazarus, consisting of Korean-speaking people, continues to diversify its toolkit and develop malware that can be used on platforms other than Windows. Kaspersky close zamHe just published a report on the multi-platform malware framework called MATA. In June 2020, researchers analyzed new instances of Lazarus' espionage attacks targeting financial institutions "Operation AppleJeus" and "TangoDaiwbo." As a result of the analysis, it was seen that the samples were Linux malware.
Yury Namestnikov, Director of Kaspersky's Global Research and Analysis Team Russia, said, “Our experts have seen many times in the past that APTs have spread their tools to a wider range. Linux-oriented tools are also preferred in such trends. Aiming to secure their systems, IT and security departments have started using Linux like never before. Threat groups are responding to this with advanced tools targeting this system. We advise cybersecurity professionals to take this trend seriously and take additional security measures to protect their servers and workstations. " said.
Kaspersky researchers recommend the following to avoid such attacks on Linux systems by a well-known or unrecognized threat group:
- Create a list of trusted software sources and avoid using unencrypted update channels.
- Do not run code from sources you do not trust. “Curl https: // install-url | Frequently introduced program installation methods such as "sudo bash" cause security problems.
- Let your update procedure run automatic security updates.
- To set up your firewall properly zamtake the moment. Keep track of activity on the network, close all unused ports and reduce the network size as much as possible.
- Use a key-based SSH authentication method and secure keys with passwords.
- Use the two-factor authentication method and store sensitive keys on external devices (eg Yubikey).
- Use an out-of-band network to independently monitor and analyze network communications on your Linux systems.
- Maintain the integrity of the executable system file and check the configuration file regularly for changes.
- Be prepared for physical attacks from inside. Use full disk encryption, reliable / secure system startup features. Apply security tape to critical hardware that allows tampering to be detected.
- Check system and control logs for signs of attack.
- Penetrate your Linux system
- Use a dedicated security solution that provides Linux protection, such as Integrated Endpoint Security. Offering network protection, this solution detects phishing attacks, malicious websites and network attacks. It also allows users to set rules for data transfer to other devices.
- Kaspersky Hybrid Cloud Security providing protection for development and operations teams; It offers security integration into CI / CD platforms and containers and scanning for supply chain attacks.
You can visit Securelist.com for an overview of Linux APT attacks and more detailed explanations of security recommendations. - Hibya News Agency