Mission Linux: How the open source software is now a lucrative target for hackers

Growing at close to 20% year-over-year, the Linux operating system market is expected to touch $22.15 billion in 2029 from a mere $6.27 billion in 2022, according to Fortune Business Insights. However, with growth, comes opportunities, and sometimes these are opportunities for threat actors.

Linux has gained significant popularity and broader adoption in various domains, including servers, cloud infrastructure, Internet of Things (IoT) devices, and mobile platforms.

The increased adoption of DevOps and modern applications is making Linux the platform of choice for servers and hence developers are increasingly developing it.

"Linux powers critical infrastructure, servers, and cloud environments, making it an appealing target for attackers aiming to compromise sensitive data, disrupt services, or launch broader attacks," said Royce Lu, distinguished engineer at Palo Alto Networks. 

In 2022, Palo Alto Networks observed Linux malware samples increase by 18.3% compared to 2021. Keeping with the trend of increasing attacks from December 2022 to May 2023, the maximum daily number of encounters with malicious ELF files (targeting Linux-based OSes) increased by almost 50%, according to Stefano Ortolani, threat research lead at VMware. 

Weak security practices are making Linux systems vulnerable

Improperly configured Linux systems or weak security practices, such as default or weak passwords, unpatched software, and unsecured network configurations can make them vulnerable to attacks. 

However, as more critical systems are now running on Linux, it would also allow attackers to demand bigger ransom and hence a ransomware attack could potentially become more disruptive to customers.

"In addition to servers, millions of Internet of Things (IoT) devices run on Linux, effectively expanding the attack surface of organizations across all verticals, especially in critical infrastructure," Dean Houari, director of security technology and strategy at Akamai, APJ, said.

Ransomware groups such as Agenda, BlackCat, Hive, and RansomExx have also developed versions of their ransomware in the programing language Rust. Using Rust allows the groups to customize malware for Linux.

In March, APT, Iron Tiger updated its malware to target the Linux platform. In April, Chinese hackers, Alloy Taurus, launched a Linux variant of PingPull malware. In May, a new variant of the IceFire ransomware started targeting Linux enterprise systems. 

Another reason that could be attributed to the increase in attacks is the vulnerabilities in applications running on Linux. "We saw the Log4j attack because of a vulnerability in the Apache server. Apache runs on Linux as well and thus such vulnerabilities can also mean increased attacks," said Sharda Tickoo, technical director for India & SAARC at Trend Micro.

While ransomware targeting Linux-based systems has been on the rise, a huge share of encounters is still variants of Mirai repurposed to mine Bitcoins or Monero, Ortolani said. 

"As long as cryptocurrencies are easily fungible, we can expect more and more cybercriminals to take advantage of insufficiently protected systems," Ortolani said. 

Timely vulnerability patches required

While Linux systems were generally considered secure, analysts say the need of the hour is to focus on timely vulnerability patches. 

"The strategy used to infect Linux systems is different from Windows as Linux is more susceptible to vulnerabilities", Houari said. "The high number of Linux vulnerabilities and dependency on open source code is a challenge for security teams to ensure that they are patched in a timely manner which could allow attackers to gain access to these systems effectively bypassing the perimeter security and obtaining privileged access for further reconnaissance and attacks." 

Organizations must adopt a zero trust strategy to embed security into the infrastructure so that it is possible to systematically address the threat vectors at all levels thereby reducing the overall attack surface, according to Ortolani. Organizations need to have strong authentication and access controls, monitor and log activities, utilize security-hardening techniques, and educate users about best practices for using Linux systems securely.