General topics

Linux under fire from hackers

Linux under fire from hackers

VMware has published a Malware Detection Threat Report in Multiple Linux-Based Cloud Environments. Among other things, it shows how cybercriminals use malware to attack Linux-based operating systems.

Linux, as the most widespread cloud operating system, is an essential part of the digital infrastructure.

The countermeasures used so far mainly focus on Windows-based threats. This is a mistake. This is due to the continuing increase in the size and sophistication of malware targeting Linux-based operating systems. VMware Threat Analysis Unit (TAU) analyzed Linux threats in multi-cloud environments. The most common tools used by attackers are: ransomware, encryption software, and remote access tools.

Check also:

“Cybercriminals are radically expanding the field of operations and include in their arsenal malware that targets Linux-based operating systems. This is to maximize burglary efficiency with minimal effort,” said Andrzej Szymczak, Principal Solution Engineer at VMware . Instead of infecting devices (computers, laptops, phones), that is, endpoints, to go straight to a more profitable target, cybercriminals discovered that a single attack on the server can bring huge profits and ensure access to data, especially sensitive data, and computing power. Both public and private clouds are of great value for accessing critical infrastructure services and confidential data.

Key conclusions from the report:

• Ransomware evolves and targets tools (such as hosts) used to run workloads in virtual environments.

• 89% of Cryptojacking attacks involve XMRig-linked libraries

• More than half of Cobalt Strike users may be cybercriminals or at least use the tool illegally.

Cloud ransomware targets

A successful ransomware attack on the cloud can have severe consequences.

Such attacks also occur in Poland, as demonstrated by CD Projekt. Two-way operation – data encryption and theft increase the chances of fast and big profit. A new phenomenon appears that Linux-based ransomware is evolving and targeting tools used to run different types of software in virtual environments as well.

Hackers are now looking for more valuable resources in cloud environments to inflict maximum damage on the target. Examples include the Defray777 ransomware family, which encrypted images on ESXi servers, and the DarkSide ransomware group, which paralyzed Colonial Pipeline networks, causing gasoline shortages in the United States.


Cybercriminals looking for easy income often target cryptocurrencies. Cybercriminals either insert a wallet-stealing mechanism into the malware or use captured CPU power to extract it in an attack known as cryptojacking. Most of these attacks focus on Monero Currency (XMR) mining.

VMware TAU found that 89% of cryptocurrencies used XMRig-related libraries. For this reason, when certain XMRig libraries and modules are detected in Linux binaries, this is likely evidence of a hack. VMware TAU also notes that bypassing security is the most commonly used method of attacks against Linux. Unfortunately, these programs do not disrupt cloud environments quite like ransomware, and thus are difficult to detect.

Cobalt Strike – Attack Tool

In order to gain control and survive in the environment, cybercriminals try to install an implant in the system, which gives them partial control over the device. Malware, web shells, and remote access tools (RATs) can be used on the affected system to allow remote access. One of the primary tools attackers use is Cobalt Strike, the commercial red team penetration testing tool, and the latest Linux-based version, Vermilion Strike. It is such a pervasive threat to Windows that its Linux extension highlights the efforts of cybercriminals to use readily available tools that target as many platforms as possible.

Between February 2020 and November 2021, the VMware TAU team discovered more than 14,000 active Cobalt Strike Team servers online. The combined percentage of broken and leaked Cobalt Strike customer IDs is 56%, which means that more than half of the users may be cybercriminals or at least use Cobalt Strike illegally. The fact that RAT tools are a malicious tool poses a serious threat to businesses.

“Since our analysis, it has been observed that more types of ransomware like Linux. This raises the possibility of additional attacks that could exploit vulnerabilities in Log4j for example,” said Piotr Kraś, Senior Director of Solution Engineering at VMware . “The report’s conclusions can be used to better understand the nature of Linux-based malware and mitigate the growing threat of ransomware, encryption, and RAT on multicloud environments. Cloud attacks continue to evolve, so we must adopt a Zero Trust approach to embed security across the infrastructure and address systematically to threat vectors that create the surface for attack.”

Want to learn more about Zero Trust? We invite you to listen to two special editorial episodes from Computerworld Tech Trends: “Trust Zero – There Will Be No Different Truth” and “Security? Let’s Get to Work…”


Related Articles

Back to top button