In this blog post, we will be looking at the VMware Threat Analysis Unit Report which is focused on exposing malware in Linux-based multi-cloud environments. There has been a tremendous increment in the adoption of the Linux operating system in a multi-cloud environment in recent time, the last five years have seen its usage growth bypass that of Windows even on Microsoft Azure as it power more than 78% of the most popular website.
With this statistic at hand, we have seen continuous migration of organizations and businesses to multi-cloud environments to scale business and match up with the competition. Threat actors have also taken notice of this change and are increasingly targeting vulnerable Linux-based systems to infiltrate corporate and government networks.
Below are some of the key findings with which security teams can harm themselves:
Linux-based systems are fast becoming an attacker’s way into high-value, multi-cloud environments.
- Linux is the most common OS across multi-cloud environments.
- Malware targeting Linux-based systems is increasing in volume and complexity, but it is still less sophisticated than Windows threats.
- There is a lack of focus on the detection of threats that target Linux-based systems, making existing tools inadequate.
- The main threats in most multi-cloud environments are ransomware, crypto miners and RATs.
- Existing attack characterization techniques based on static information, such as strings and APIs, are useful but easily evaded by sophisticated threats.
- Defense evasion is the most common tactic used by ransomware and crypto miners. Various encryption or obfuscation techniques, such as Base64 encoding and AES-based encryption, are used by attackers to conceal code and data
Ransomware is becoming more sophisticated
- Ransomware has recently evolved to target Linux host images that are used to spin workloads in virtualized environments.
- Ransomware attacks against cloud deployments are targeted, not opportunistic.
- Ransomware attacks against cloud environments are often combined with data exfiltration, implementing a double-extortion scheme that improves their odds of success.
- The detection of sophisticated threats targeting Linux-based systems requires dynamic analysis and continuous host monitoring—capabilities that work well with the Linux kernel
RATs are becoming an increasing threat to Linux-based systems
- As Cobalt Strike is such a ubiquitous threat on Windows, its expansion to other operating systems, such as Linux, is notable. It demonstrates the desire of threat actors to use readily available remote-control tools to target as many platforms as possible.
- VMware Threat Analysis Unit discovered more than 14,000 active Cobalt Strike team servers on the internet since the end of February 2020.
- The most popular protocol for the Cobalt Strike beacon is HTTPS.
- Close to 90 per cent of the Cobalt Strike server population is version 4 or later.
- The total percentage of cracked and leaked Cobalt Strike customer IDs is 56 per cent. This means that more than half of the Cobalt Strike users are using illegitimately obtained versions of the commercial software.
- Vermilion Strike is just the first of many malware targeting Linux-based systems that will mimic the actions of other well-known RATs to simplify an adversary’s work.
Cryptojacking attacks use XMRig to mostly mine Monero.
- Cryptojacking attacks focus on monetizing stolen CPU cycles to mine cryptocurrencies.
- Most cryptojacking attacks focus on mining the Monero cryptocurrency (or XMR). XMRig is the most commonly used tool for crypto mining, and research found that 89 percent of crypto miners used XMRig-related libraries.
In conclusion, protecting multi-cloud environments starts with complete visibility into all workloads with a detailed system context that makes it easier to understand and prioritize mitigation efforts. Information from all sources must be combined in an intelligent fashion that adds value while enabling the sharing of this contextual data across teams to reduce silos. CyberPlural MSSP can help with an implementation that will provide such visibility required to keep your business ahead of the malicious actors.