Despite Linux-based workstations and servers being thought to be safer and less prone to cyber threats than their Windows counterparts, over a dozen advanced persistent threat (APT) actors have been found by Kaspersky researchers to use Linux malware or some Linux-based modules.
Notable examples include threat groups Barium, Sofacy, the Lamberts, and Equation, as well as more recent campaigns, such as LightSpy by TwoSail Junk and WellMess.
Threat actors have been detected developing malware to attack the rising number of large enterprise companies and governmental entities globally using Linux-based desktop environment.
While still uncommon, attacks on Linux-based workstations have manifested themselves in the form of webshells, backdoors, rootkits and custom-made exploits.
In addition, the relatively small number of attacks, according to Kaspersky, is misleading due to infiltrations of Linux servers often leading to significant consequences, such as threat actors going on to target endpoints running Windows or macOS.
Use cases for AI and ML in cyber security
“The trend of enhancing APT toolsets was identified by our experts many times in the past, and Linux-focused tools are no exception,” said Yury Namestnikov, head of Kaspersky’s Global Research and Analysis Team (GReAT) in Russia.
“Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems.
“We advise cyber security experts to take this trend into account and implement additional measures to protect their servers and workstations.”
Security recommendations for Linux
In addition to these findings, Kaspersky has provided the following recommendations for keeping Linux-based workstations and devices within company networks secure:
- Keep a list of trusted software sources and avoid using unencrypted update channels.
- Do not run binaries and scripts from untrusted sources. Widely advertised ways to install programs with commands like “curl https://install-url | sudo bash” are known to be malicious.
- Make sure your update procedure is effective, and set up automatic security updates.
- Spend time to set up your firewall properly, by making sure it logs network activity, blocking all ports you don’t use, and minimising your network footprint.
- Use key-based secure shell (SSH) authentication and protect keys with passwords.
- Use 2FA (two-factor authentication) and store sensitive keys on external token devices, such as Yubikey.
- Use an out-of-band network tap to independently monitor and analyse network communications of your Linux systems.
- Maintain system executable file integrity and review configuration file changes regularly.
- Be prepared for insider/physical attacks, by using full disk encryption, trusted/safe boots and puting tamper-evident security tape on your critical hardware.
- Audit the system, and check logs for indicators of attack.
- Run penetration tests on your Linux setup.
- Use a dedicated security solution with Linux protection such as Integrated Endpoint Security. This provides web and network protection to detect phishing, malicious web sites and network attacks as well as device control, allowing users to define rules for transferring data to other devices.
A full overview of Linux APT attacks can be found here.