In the last two years, businesses around the globe have experienced a dramatic spike in cyberattacks. On the surface, this crimewave has a simple explanation. Businesses went remote during pandemic restrictions and, in the process, created millions of new remote access points for sensitive data. But it wasn’t just users becoming remote. As businesses quickly shifted left, a new wave of attacks targeted their complex and dynamic cloud environments, contributing to the dramatic increase.
Linux Infrastructure Under Attack
In a 2022 report, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned network defenders about an observed “increase in sophisticated, high-impact ransomware incidents” targeting Linux-based cloud infrastructures. Currently, 90% of remote work technologies such as cloud services and virtual-machine hosts run on Linux servers. In the era of remote access, Linux has become the prime target for new cybercriminal ingresses.
Overall Linux malware tracked in endpoints increased by 35% in 2021. In this larger trend, some discernible patterns also emerged.
The three most commonly observed Linux malwares – XorDDoS, Mirai, and Mozi – make up 22% of all variants and have in common a purpose of creating botnets to execute distributed denial of service (DDoS) attacks. XorDDoS and another popular variant, Kaiji, appear to have been recently reconfigured to target Docker servers in addition to Linux hosts on cloud servers.
To be effective, the DDoS attack-enabled botnets need to control enough compromised devices to overwhelm a target system with excess traffic, rendering it unreachable by legitimate users. To support DDos attacks and other botnet-enabled operations, such as cryptomining, Threat actors used the large attack surface, misconfigurations, and widespread vulnerabilities found in Linux Cloud environments. The rapid growth of open ports and unpatched vulnerabilities in Linux devices seems to have become sufficiently enticing to attract new malware development for creating compromised networks.
If the expansion of target surfaces continues to shape trends in cybercrime, these patterns suggest that what transpired in 2021 may be just the tip of the iceberg. With remote work here to stay, Linux will continue to see expanded use in cloud infrastructure. At the same time, Linux also powers two other device types poised for sustained, accelerated growth in the coming decade – mobile and Internet-of-things (IoT) devices. Statista predicts another 4.2 billion mobile devices will be in use by 2025 – a growth of nearly 25%. Projections for developments in IoT for the same time frame put more than 30 billion devices online in 2025.
Get Runtime Linux Security with Spyderbat
Network defenders navigating this new Linux threat landscape have struggled with a lack of critical tools such as perimeter breach protection and the ability to manage third-party risk factors. Security teams navigating this new Linux threat landscape have struggled with a lack of critical tools that provide the level of insight to detect multi-staged attacks across ephemeral, highly virtualized systems.
But that gap is being closed.
With a reimagining of security operations as Attack Tracing and Intercept (ATI), Spyderbat delivers an industry-first solution to Linux-specific network environments. Spyderbat’s universal trace connects Linux system-level activity to its corresponding network activity, highlighting an accurate and complete trace of credible compromises in real-time.
To experience the tactical advantages of runtime Linux security, download Spyderbat’s free Community Edition.