The transition from global vendors’ proprietary software, which is no longer available in Russia, to open-source solutions is exacerbating information security problems. Linux-based open-source software has recently become a popular target for hackers.
A big shift
A significant portion of critical corporate IT infrastructure traditionally runs on Linux, making it an attractive target for ransomware.
Actually, a shift of focus towards Linux became a trend in 2021, when the number of attacks on infrastructure working on this OS grew by 35% a year, with IoT devices being the main target.
The real boom came in 2022 when cybersecurity experts recorded a significant growth in the number of ransomware attacks at Linux.
Thus, according to the analysis by Trend Micro, Linux servers in 2022 were attacked by 75% more often than in 2021.
Another example of hackers’ focus shift is LockBit, one of the most popular ransomware programs that is now offered for Linux-based machines.
It is obvious that new kinds of threats are continuing to improve the business model by focusing attacks with bigger accuracy and attention to detail when choosing the target. That is why organizations need to better detect, understand and protect themselves from the expanding digital attacks.
Threats change and grow
According to the data provided by Atlas VPN based on the AV-ATLAS.org statistics, in the first half of 2022, the number of new malware for Linux reached a record high: almost 1.7 million.
As compared to the same period of 2021, the number of new malware programs for Linux increased by 650%. The first half of 2022 saw more Linux-focused malware that any other years since 2008.
Even though the share of Linux in the OS markets is only 1%, it ranks second with 1.7 malware detected in the first half of 2022 (the yearly data will be available in 2023).
For reference, the most popular operational system, Android, only saw 716,201 new malware in the first half of 2022.
At the same time, Linux threats do not only concern cipher ransomware. According to Trend Micro, the number of attacks by mining programs when hackers secretly use the infected Linux-based computers and servers to mine cryptocurrency increased by 145%.
The traditional cyberattacks at Linux systems are conducted with the use of unpatched vulnerabilities. Thus, their list includes the famous vulnerability Dirty Pipe that allows overwriting data in arbitrary read-only files in Linux 5.8 and higher.
Group-IB researchers have traced the activity of the OldGremlin group of hackers and when processing an incident, they found out that the malefactors attacked a Linux machine using the TinyCript ransomware which was earlier used only for Windows-based systems.
The Linux version works in the same way as the Windows version and uses the AES algorithms with the CBS cipher mode to encrypt files with a 256-bit key that is encrypted using the RSA-2408 asymmetric crypto system.
To reach their goals, they use thoroughly prepared phishing messages pretending to be famous organizations from various fields, from the media to metalworks.
However, this is not the only way to deploy malware into the Linux infrastructure. In addition of messages, malefactors often use links to documents from file-sharing services.
After the infection, the blocking does not happen right away – malware can stay in the system of the victim company for one or two months while meticulously selecting information to detect the most valuable systems to block it and demand ransom.
Turning to Russia
Despite most ransomware groups previously focusing on the West as a region targeted by attacks, Russia has recently become an increasingly attractive target as well.
This is due to open-source solutions becoming increasingly used in all software market segments to replace regular proprietary products manufactured by global vendors that have withdrawn from the Russian market. The use of open-source software, which is nearly always based on the Linux kernel, is growing rapidly in the country.
Also, major users include state organizations, essential and systemic enterprises in respective economic sectors, as well as socially relevant structures.
Given the scope of the already implemented as well as upcoming transition of the infrastructure from Windows to Linux, we have much to be prepared for as regards cybersecurity challenges on a nationwide scale: the more systems and users, the larger the scope of potential attacks.
All work, no rest
Despite open-source software being less vulnerable due to a vast number of developers involved, it is not entirely devoid of such risks: security specialists spot various substantial flaws in Linux on a regular basis.
Normally, such vulnerabilities are spotted en masse long after the release of security-related patches. Therefore, to avoid becoming part of the disappointing statistics, you need to regularly update the kernel, modules and software for your OS.
As the number of devices grows, so does the amount of attacks this year. Today, hackers use advanced technologies and tools to create viruses and exploit vulnerabilities – such as through ChatGPT, which can be used by any person with zero tech knowledge to create malicious tools and distribute them.
In Russia, the increasing number of DDoS attacks and growing Linux-targeted activity is linked to the special military operation, with unfriendly countries having united as part of a joint campaign to attack Russian websites and web infrastructure.
For instance, previously such attacks were implemented through a public Telegram channel with 200,000 subscribers, which contained instructions on ways to easily join the attack. All a subscriber required was a computer and internet access. Every few days a list of targets in the Russian Federation is posted, with everyone starting to attack a single target and normally crashing the website.
However, the issue about this strategy was that there are plenty of targets that are constantly changing, with one site under a coordinated attack for only a couple of days and then resuming its usual work. Yet, several cases were observed when attackers managed to crash even websites hosted by major providers.
As of now, the number of attacks has slumped as many got tired of making such attempts while some simply got bored, with the effectiveness of such attacks having decreased and websites inevitably returning to operating as usual after a while.
Still, despite the current developments in Russia, the majority of cyberattacks (95%) are not directly targeted at any particular country or company. Hackers simply launch a scanner to find exploitable bugs in web servers, hack them automatically, and use them to organize DDoS attacks, mining, spamming, and so on.
We have to generally keep staying alert to cyber threats and always watch for hacking trends to take preventive action before incidents occur.
By Mikhail Sergeyev, expert at the CorpSoft 24 company