IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers target outdated versions of Linux in the cloud

Coinminers, web shells and ransomware, top malware aiming at Linux, report finds

Hackers are targeting old versions of Linux running in the cloud to take advantage of outdated software with unpatched vulnerabilities.

According to Trend Micro’s Linux Threat Report 2021 1H: Pervasive Security Issues in the Cloud, the cyber security firm detected over 15 million attacks in the first six months of 2021. The firm said that detections arose from systems running end-of-life versions of Linux distributions. Forty-four percent of the detections were from RHEL 7.8, followed by CentOS 6.4, which had almost 17% of the detections, and RHEL 7.7 with more than 10%.

The research looked at the top malware families affecting Linux servers during that six-month period. Web shells made up 29.61% of threats to Linux servers, with coinminers making up 29.45% of attacks, ransomware at 17.17.%, and PHP trojans at 14.34%.

Researchers said an interesting observation here is the high prevalence of web shells. The most detected web shell families are Backdoor.PHP.WEBSHELL.SBJKRW, Backdoor.PHP.WEBSHELL.SMMR; and cryptocurrency miners, where Coinminer.Linux.MALXMR.SMDSL64 and Coinminer.Linux.MALXMR.PUWELQ are the most prevalent families.

“Given that the cloud holds a seemingly endless amount of computing power, hackers have a clear motive in stealing computing resources to run their cryptocurrency mining activities. It’s also important to note that cryptocurrency miners have been plaguing container environments in recent years,” said researchers.

Related Resource

Cloud compute and storage performance analysis

Benchmark for IONOS Cloud Compute Engine

Title on a white background - whitepaper from IONOSDownload now

Researchers also saw ransomware as a prevalent Linux threat, with DoppelPaymer — a modern ransomware family that used double-extortion tactics — being the most prevalent family based on the company’s data. Researchers also saw other ransomware variants targeting Linux systems, such as RansomExx, DarkRadiation, and even DarkSide.

Even though there are an estimated 20,000 vulnerabilities reported in 2020 alone — many of which affect Linux or the Linux application stack — the report found only 200 of those vulnerabilities have publicly known exploits and were observed. Striving to prioritize the patching of these vulnerabilities should be baked into any organization's security practices, according to researchers.

“The applications affected by these 200 vulnerabilities have a few clear targets, including WordPress or Apache Struts, but services such as Atlassian JIRA, dnsmasq, and Alibaba Nacos aren't the first ones a security expert would automatically assume to be in attackers’ crosshairs,” researchers said.

Researchers said malicious actors would look for every opportunity to compromise the platform for financial gain — whether by developing and launching malware, exploiting vulnerabilities, or taking advantage of misconfigurations.

“Keeping Linux, the bedrock of critical systems and services, protected against threats can be achieved using a multilayered security approach: maximizing built-in tools and trusted commercial or free third-party security control,” they added.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Twilio account breach result of sophisticated social engineering campaign
Security

Twilio account breach result of sophisticated social engineering campaign

9 Aug 2022
Over 200,000 DrayTek routers vulnerable to total device takeover
Security

Over 200,000 DrayTek routers vulnerable to total device takeover

3 Aug 2022
Best Linux distros 2022
operating systems

Best Linux distros 2022

25 Jul 2022
Data on 69 million Neopets users stolen and listed for sale on hacker forum
Security

Data on 69 million Neopets users stolen and listed for sale on hacker forum

21 Jul 2022

Most Popular

UK water supplier confirms hack by Cl0p ransomware gang
ransomware

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022