Hackers target outdated versions of Linux in the cloud
Coinminers, web shells and ransomware, top malware aiming at Linux, report finds
Hackers are targeting old versions of Linux running in the cloud to take advantage of outdated software with unpatched vulnerabilities.
According to Trend Micro’s Linux Threat Report 2021 1H: Pervasive Security Issues in the Cloud, the cyber security firm detected over 15 million attacks in the first six months of 2021. The firm said that detections arose from systems running end-of-life versions of Linux distributions. Forty-four percent of the detections were from RHEL 7.8, followed by CentOS 6.4, which had almost 17% of the detections, and RHEL 7.7 with more than 10%.
The research looked at the top malware families affecting Linux servers during that six-month period. Web shells made up 29.61% of threats to Linux servers, with coinminers making up 29.45% of attacks, ransomware at 17.17.%, and PHP trojans at 14.34%.
Researchers said an interesting observation here is the high prevalence of web shells. The most detected web shell families are Backdoor.PHP.WEBSHELL.SBJKRW, Backdoor.PHP.WEBSHELL.SMMR; and cryptocurrency miners, where Coinminer.Linux.MALXMR.SMDSL64 and Coinminer.Linux.MALXMR.PUWELQ are the most prevalent families.
“Given that the cloud holds a seemingly endless amount of computing power, hackers have a clear motive in stealing computing resources to run their cryptocurrency mining activities. It’s also important to note that cryptocurrency miners have been plaguing container environments in recent years,” said researchers.
RELATED RESOURCE
Researchers also saw ransomware as a prevalent Linux threat, with DoppelPaymer — a modern ransomware family that used double-extortion tactics — being the most prevalent family based on the company’s data. Researchers also saw other ransomware variants targeting Linux systems, such as RansomExx, DarkRadiation, and even DarkSide.
Even though there are an estimated 20,000 vulnerabilities reported in 2020 alone — many of which affect Linux or the Linux application stack — the report found only 200 of those vulnerabilities have publicly known exploits and were observed. Striving to prioritize the patching of these vulnerabilities should be baked into any organization's security practices, according to researchers.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
“The applications affected by these 200 vulnerabilities have a few clear targets, including WordPress or Apache Struts, but services such as Atlassian JIRA, dnsmasq, and Alibaba Nacos aren't the first ones a security expert would automatically assume to be in attackers’ crosshairs,” researchers said.
Researchers said malicious actors would look for every opportunity to compromise the platform for financial gain — whether by developing and launching malware, exploiting vulnerabilities, or taking advantage of misconfigurations.
“Keeping Linux, the bedrock of critical systems and services, protected against threats can be achieved using a multilayered security approach: maximizing built-in tools and trusted commercial or free third-party security control,” they added.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
What users can expect with Claude Sonnet 5News Claude Sonnet 5 comes with intuitive agentic capabilities, performance boosts, and cost-efficient ‘effort levels’
-
SaaS has a big identity problemNews With more guest access than licensed users, firms are being compromised through the trusted identities and collaboration tools they rely on every day
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security