Forget about 2023 becoming “The Year of the Linux Desktop,” a popular slogan about growing Linux OS usage. It is already becoming the year of the Linux malware takeover.
In the eyes of cybercriminals, Linux is now a more appealing target due to the computing platform’s potentially high return on their “investment.” Prevailing security countermeasures predominantly cater to Windows-based threats, often leaving Linux, particularly in private cloud deployments, perilously vulnerable to a barrage of ransomware assaults.
This tide of increasing malware attacks against Linux systems is turning for the worse. Linux has a reputation for being among the most secure operating systems available. However, that does not make it immune to user stupidity and enterprise malfeasance.
A report published in January by Atlas VPN showed that new Linux malware threats hit record numbers in 2022. The then-50% increase raised the attack level to 1.9 million infections. More recent malware attack monitoring shows that the situation continues to get worse.
Linux malware has become increasingly prevalent as more devices and servers run on the Linux operating system. The same security risks that impact Microsoft Windows and macOS are now bearing down on Linux systems. Even the made-from-Linux ChromeOS that powers Chromebooks used in schools and enterprises worldwide has no built-in immunity to browser- and e-mail-based infiltration.
Attacks targeting Linux users are not new. Their frequencies rose and fell in the last few years based on a variety of factors. The research shows that malware on all computing platforms except Linux is declining.
What is driving this increase is the focus cybercriminals now place on Linux in business and industry, according to Joao Correia, technical evangelist for TuxCare, an automated patching service for Linux. With the current trend of increasing Linux malware attacks, he observed that Linux users — both for business and personal computing — pose ongoing challenges.
Earlier consensus is no longer valid that Linux attacks are aimed only at servers. All Linux users are in the crosshairs, he warned.
“It’s all about the data. We changed how we value data,” Correia told LinuxInsider. “Nowadays, data is much more valuable because we can use it to feed artificial intelligence.”
Killer Factors at Fault
Correia sees an inability in enterprise IT circles to install patches regularly and quickly as a source for Linux system intrusions. The inherent financial rewards from stolen data and ransomware payments are a magnet for attackers targeting Linux specifically.
One recurring business practice company executives impose on IT workers is to delay taking servers and workstations offline to conduct essential system patching. Computer downtime for security maintenance must be scheduled — often weeks — in advance to accommodate a business peak.
“You don’t know how long you have been vulnerable to an attack. So, you need to close that security gap as soon as you are aware of it. Taking five or six weeks to patch those types of vulnerabilities is just a godsend for malware writers,” Correia explained.
That just lets breached systems be read or open for the taking. That is a terrible position to be in, especially when you are not patching because you do not have the authorization to take down your system.
“This happens a lot in the enterprise,” he added.
Start with the basics by keeping systems up to date. If you take a few months to patch a vulnerability, that does not cut it. You are giving way too much time for that vulnerability to be exploited,” he cautioned.
For instance, it has been almost two years since the Log4j disclosure. There are still systems vulnerable to it because businesses take too long to do patches, he offered.
Worker Carelessness Has Consequences
Unaware and poorly trained workers are also major contributing factors in the rise of Linux malware assaults. To prove his point, Correia referred to a recent LastPass breach.
That intrusion happened precisely because an IT worker accessed company systems from a home workstation that ran unpatched software. Not only was the IT worker’s home system breached, but so were LastPass servers as a result.
“So, if you put all this together, you need to move the data to a central location. You need to have computers audited and properly secured, and your servers need to be accessed from different types of operating systems safely,” Correia said.
Cybersecurity experts give the impression that everybody always follows the best practices, whatever that means. They often make it appear that everybody is just doing everything correctly, he offered, adding that such a scenario seldom exists.
“In the real world, most companies are struggling with just the basics. Companies will have one or two IT guys that get called in when the website goes down, when an email is suspicious, or something like that. They do not have dedicated security teams. They do not have best practices in place, and disaster recovery plans, and all of that,” he noted.
Going Beyond the Linux Security Surface: Q&A
LinuxInsider asked Joao Correia to discuss the rising incidents of Linux malware in more detail.
His insights suggest the complexities of dealing with a multi-platform computing world. Having been a sysadmin for many years, he understands why people do not or cannot patch every day. They simply cannot take down systems without stakeholders getting angry and then looking at it as if it were just the cost and not the benefit for the company.
Regardless, despite its built-in defenses out-of-the-box, the Linux OS cannot be ignored.
LinuxInsider: How can enterprise Linux users better harden the operating system?
Joao Correia: Covering the basics means you must patch more efficiently. You cannot rely on the same practices that you were doing 20 years ago when you had a fraction of the vulnerabilities that we have today — and you have to be faster in those types of things.
You need to change the way that you patch. If you struggle to patch your systems because of the disruption it causes, then you need to look at different ways to do that. That is the absolute bare minimum basic thing that you could do to improve security.
How Effective is live patching?
Correia: It is one of the things that we do here at TuxCare. It provides kernel care. But it is a way to keep your systems up to date without disruption, so you don’t have to make systems have to reboot. You do not have to restart services, and you still get the updated version of the software you use.
Why are more enterprises not doing that?
Correia: Because it is a very new technology, and companies are very bad at changing their processes. They are still patching like 20 years ago when we had big servers that were monolithic, and virtualization did not exist.
The IT security landscape today is very different than it was even a few years ago. You need to adapt how you do things to be able to just survive in it.
We’re not getting into all the other advanced firewalls, tools, and vulnerability scanners that come after this. This is just covering your bases by running up-to-date software that you use. Because at the end of the day, when malicious actors are creating malware, ransomware, and viruses, they look for an easy way to enter a system. So, if you patch all the other ones but leave one open, that is where they will come through.
Is the attack surface on enterprise Linux more vulnerable than for off-site or personal Linux users?
Correia: The attack surface is exactly the same. You are running the same Linux kernel and probably running the same versions of the software that are present on enterprise computers. The only difference is a lack of all the other security measures probably in place on the enterprise network, like application firewalls and traffic analysis.
But on the other hand, you probably do not have as much valuable data on your systems at home. So even though you might be less secure, you are also less of an appetizer for a malicious threat actor because they will be able to extract less value from you.
What about the security status of Chromebooks, which run ChromeOS based on Linux?
Correia: Google added some special sauce to Chromebooks that boosts security, such as sandboxing of processes, separating roles for user accounts, and a secure boot process. You can replicate all of that on Linux. So, you can get the Linux system that uses the same types of security mechanisms present in ChromeOS. You can also add equivalent open-source tools on Linux that achieve the same degree of security.
What can Linux users not proficient in IT do to secure further how they use the Linux operating system?
Correia: It might not come out of the box. It might require you to do some tinkering to get there. But with all of the core functionality that exists on one side, you can do it on the other side.
You can do it basically on any Linux distribution and just install the applications you need for your particular distribution. There is nothing magical about ChromeOS per se. It might not come with those settings configured, but you can get the same level of security needed to achieve that on a regular Linux box.
You stressed the need for enterprise Linux to adhere to security basics. What should regular Linux users consider as their basics?
Correia: Do things like keeping your system up to date. If you have a notice that updates are pending, do those updates immediately. More often than not, they will include important security updates.
Most Linux distributions today come with a secure set of defaults. It might not be the government-spec level of security, but you will have some default security built in that will be enough as long as you keep your system up to date.
Non-business Linux users will still sometimes have to restart their systems to implement the updates. Do not wait for the next time you turn on the computer. Take the updates as soon as they are available.
Prioritize Security, Regardless of the Platform
As the technological landscape evolves, so too does the realm of cybersecurity threats. While Linux has long been considered a secure operating system, the surge in malware attacks against it underscores the need for constant vigilance. Both enterprise and personal users face increasingly complex challenges they cannot ignore.
Patching remains a critical line of defense. But as Joao Correia points out, the security basics also need a fresh look. The challenges lie not just in new kinds of threats but also in outdated security practices that no longer serve their purpose in a changing environment.
From individual employees’ responsibility to corporate IT departments, addressing Linux security is a multi-faceted challenge. It’s not just about implementing advanced firewalls and vulnerability scanners; it’s about creating a culture of security that adapts to new threats as they emerge.
Ultimately, the key takeaway is clear: No operating system is invincible, and it’s crucial for Linux users — whether running enterprise servers or personal laptops — to stay informed, be proactive, and prioritize security as an ongoing process rather than a one-time setup.