Outdated Linux Versions, Misconfigurations Triggering Cloud Attacks: Report

The “Linux Threat Report 2021 1H” from Trend Micro found that Linux cloud operating systems are heavily targeted for cyberattacks, with nearly 13 million detections in the first half of this year. As organizations expand their footprint in the cloud, correspondingly, they are exposed to the pervasive threats that exist in the Linux landscape.

This latest threat report, released Aug. 23, provides an in-depth look at the Linux threat landscape. It discusses several pressing security issues that affect Linux running in the cloud.

Key findings include that Linux is powerful, universal, and dependable, but not devoid of flaws, according to the researchers. However, like other operating systems, Linux remains susceptible to attacks.

Linux in the cloud powers most infrastructures, and Linux users make up the majority of the Trend Micro Cloud One enterprise customer base at 61 percent, compared to 39 percent Windows users.

The data comes from the Trend Micro Smart Protection Network (SPN) or the data reservoir for all detections across all Trend Micro’s products. The results show enterprise Linux at considerable risk from system configuration mistakes and outdated Linux distributions.

For instance, data from internet scan engine Censys.io revealed that nearly 14 million results for exposed devices running any sort of Linux operating system on July 6, 2021. A search for port 22 in Shodan, a port commonly used for Secure Shell Protocol (SSH) for Linux-based machines, showed almost 19 million exposed devices detected as of July 27, 2021.

Like any operating system, security depends entirely on how you use, configure, or manage the operating system. Each new Linux update tries to improve security. However, to get the value you must enable and configure it correctly, cautioned Joseph Carson, chief security scientist and advisory CISO at Thycotic.

“The state of Linux security today is rather good and has evolved in a positive way, with much more visibility and security features built-in. Nevertheless, like many operating systems, you must install, configure, and manage it with security in mind — as how cybercriminals take advantage is the human touch,” he told LinuxInsider.

Top Linux Threats

The Trend Micro Report disclosed rampant malware families within Linux systems. Unlike previous reports based on malware types, this study focused on the prevalence of Linux as an operating system and the pervasiveness of the various threats and vulnerabilities that stalk the OS.

That approach showed that the top three threat detections originated in the U.S. (almost 40 percent), Thailand (19 percent), and Singapore (14 percent).

Detections arose from systems running end-of-life versions of Linux distributions. The four expired distributions were from CentOS versions 7.4 to 7.9 (almost 44 percent), CloudLinux Server (more than 40 percent), and Ubuntu (about 7 percent).

Trend Micro tracked more than 13 million malware events flagged from its sensors. Researchers then cultivated a list of the prominent threat types consolidated from the top 10 malware families affecting Linux servers from Jan. 1 to June 30, 2021.

The top threat types found in Linux systems in the first half of 2021 are:

  • Coinminers (24.56 percent)
  • Web shell (19.92 percent)
  • Ransomware (11.56 percent)
  • Trojans (9.56 percent)
  • Others (3.15 percent)

The top four Linux distributions where the top threat types in Linux systems were found in H1-2021 are:

  • CentOS Linux (50.80 percent)
  • CloudLinux Server (31.24 percent)
  • Ubuntu Server (9.56 percent)
  • Red Hat Enterprise Linux Server (2.73 percent)

Top malware families include:

  • Coinminers (25 percent)
  • Web shells (20 percent)
  • Ransomware (12 percent)

CentOS Linux and CloudLinux Server are the top Linux distributions with the found threat types, while web application attacks happen to be the most common attack vector.

Web Apps Top Targets

Most of the applications and workloads exposed to the internet run web applications. Web application attacks are among the most common attack vectors in Trend Micro’s telemetry, said researchers.

If launched successfully, web app attacks allow hackers to execute arbitrary scripts and compromise secrets. Web app attacks also can modify, extract, or destroy data. The research shows that 76 percent of the attacks are web-based.

The LAMP stack (Linux, Apache, MySQL, PHP) made it inexpensive and easy to create web applications. In a very real way, it democratized the internet so anyone can set up a web application, according to John Bambenek, threat intelligence advisor at Netenrich.

“The problem with that is that anyone can set up a web app. While we are still waiting for the year of Linux on the desktop, it is important for organizations to use best practices for their web presences. Typically, this means staying on top of CMS patches/updates and routine scanning with even open-source tools (like the Zed Attack Proxy) to find and remediate SQL injection vulnerabilities,” he told LinuxInsider.

The report referenced the Open Web Application Security Project (OWASP) top 10 security risks, which lists injection flaws and cross-scripting (XSS) attacks remaining as high as ever. What strikes Trend Micro researchers as significant is the high number of insecure deserialization vulnerabilities.

This is partly due to the ubiquity of Java and deserialization vulnerabilities in it, according to Trend Micro. It’s report also noted that the Liferay Portal, Ruby on Rails, and Red Hat JBoss deserialization vulnerabilities as being prominent.

Attackers also try to use vulnerabilities where there is broken authentication to gain unauthorized access to systems. Plus, the number of command injection hits also poses a surprise as they are higher than what Trend Micro’s analysts expected.

Expected Trend

It is no surprise that the majority of these attacks are web-based. Every website is different, written by different developers with different skill sets, observed Shawn Smith, director of infrastructure at nVisium.

“There is a wide range of different frameworks across a multitude of languages with various components that all have their own advantages and drawbacks. Combine this with the fact that not all developers are security gurus, and you’ve got an incredibly alluring target,” he told LinuxInsider.

Web servers are one of the most common services to expose to the internet because most of the world interacts with the internet through websites. There are other areas exposed — like FTP or IRC servers — but the vast majority of the world is using websites as their main contact point to the internet.

“As a result, this is where attackers will focus to get the biggest return on investment for their time spent,” Smith said.

OSS Linked to Supply Chain Attacks

Software supply chains must be secured to deal with the Linux attack landscape as well, noted the Trend Micro report. Attackers can insert malicious code to compromise software components of third-party suppliers. That code then connects to a command-and-control server to download and deploy backdoors and other malicious payloads within the system, causing remote code.

This can lead to remote code execution to an enterprise’s system and computing resources. Supply chain attacks can also come from misconfigurations, which are the second top incident type in cloud-native environments, according to the Trend Micro report. More than 56 percent of their survey respondents had a misconfiguration or known unpatched vulnerability incident involving their cloud-native applications.

Hackers are having an easy time. “The major attack types on web-based applications have remained constant over the recent past. That, combined with the rising time-to-fix and declining remediation rates, makes the hackers’ job easier,” said Setu Kulkarni, vice president of strategy at NTT Application Security.

Organizations need to test applications in production, figuring out what their top three-to-five vulnerability types are. Then launch a targeted campaign to address them, rinse, and repeat, he recommended.

The “Linux Threat Report 2021 1H” is available here.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Security

Which device do you use most for digital communication?
Loading ... Loading ...

LinuxInsider Channels

Open-Source Code a Marginal Problem, Managing It the Key Challenge: Report

software engineer

Businesses using open-source code — which is embedded in a large majority of enterprise-grade software — need a full-scale inventory of its existence. That is missing in many corporate IT records.

Without a detailed accounting of open-source code running within their software, companies have no way to monitor software policies, licenses, vulnerabilities, and versions. That means IT departments are clueless about the overall health of the open-source components they use.

At issue is that many enterprises are sure they do not use open source, so they do not have to worry about keeping security patches and code upgrades current. That misconception usually results in network breaches leading to malware and ransomware attacks.

The 2022 Synopsys Open Source Security and Risk Analysis (OSSRA) Report released last month showed an all-time high in open source code running in software. The problem of using open source has been growing consistently year after year.

Open-source code is prevalent in software packages from business applications to network and server processes. Unless enterprises make a concerted effort to catalog and monitor how their organizations use open-source snippets, even known vulnerabilities go unattended.

Fixing the problems the report highlights is a question of ownership, according to Tim Mackey, principal security strategist at Synopsys SIG.

The results suggest a tacit realization that the software powering businesses might not be under their managers’ control. It also signals that the open-source code in commercial products may not meet the standards to which they hold their own teams accountable.

“Given the OSSRA source data comes from technical due-diligence efforts related to mergers and acquisitions activity, and not a survey, the OSSRA report is a reflection of the current state of software usage and not the opinion of what it might be,” Mackey told LinuxInsider.

Harsh Truths Revealed

The 2022 OSSRA report audited anonymized findings from over 2,400 commercial codebases across 17 industries. The summary results in this graphic are a wake-up call to corporate IT overseers.

2022 Open Source Security and Risk Analysis Summary

Source: 2022 Open Source Security and Risk Analysis Report (Credit: Synopsys)


The report serves as a crisis warning, especially in light of the ongoing impact of the Log4J vulnerability that appeared late last year.

Of the 2,400 commercial codebases across 17 industries, 2,097 contained security and operational risk assessments. The growth in the number of codebases Synopsys audited is 64 percent larger than last year’s. Much of that increase resulted from mergers and acquisitions throughout 2021.

The security threats resulting from Log4j were a significant reason President Biden late last year pushed his Executive Order on Cybersecurity, noted Mackey.

It was also key for the OSSRA report to motivate corporate chief information security officers, vice presidents of engineering, and chief technical officers to analyze their open-source software usage and see how well the OSSRA data maps to their own processes and governance.

“The OSSRA report has consistently highlighted that the problem with open source is not within the open-source code itself, but in how people use it,” he added. “Freely downloadable code is wonderful for the pocketbook, but that does not mean it can be managed using the same processes as you might find for commercial software.”

SBOM No Universal Fix

A key tenet of the OSSRA report is that risks can stem from unmanaged use of open source. The difference is significant between a lack of open-source management and the fact that open source itself is not the problem, the report concludes.

Open source now is the foundation of commercial software, noted researchers. It is found in 97 percent of commercial software. Despite its universal use, the misperception that open source is somehow inherently dangerous persists.

Unlike Microsoft and Apple products, where software vendors can proactively push updates and patches to known users, open-source has no such vendor to handle risk management issues, observed Mackey.

“Existing patch management solutions are often geared toward an update model,” he added. “Software that is freely downloadable means the software producer does not know who its customers are or even if they are using the software they downloaded.

The patching process and its assumptions get lost when people focus on topics like Software Bill of Materials (SBOM) being a silver bullet for open-source management, according to Mackey. Fixing the problem requires going beyond SBOM.

SBOM is simply a tool to improve processes that were designed for a different type of software consumption, he said. In addition, industries need to focus on identifying and monitoring open-source components in the commercial software they use. That is what has to happen to correct what the OSSRA report indicates are problems, said Mackey.

Fixing What’s Fixable

Using obsolete open-source components requires companies to adopt a process for monitoring when their components become out-of-date. But it is not just explicitly declaring dependencies or selecting approved suppliers. Mackey sees the problem as more deeply rooted in the supply chain.

“The Log4Shell experience is a perfect example of a foundational component that few knew existed. But once Log4j became front of mind due to the impact of the Log4Shell vulnerability, [it] forced teams to rush and figure out how to best manage it,” he pointed out.

That is the solution enterprise users of commercial software must do. Inventory the existence of open-source components. Then establish and execute monitoring and patching and updating.

“Whatever processes those teams used to successfully manage their Log4j experience at scale should be applied to other components. In other words, use the Log4j experience to build a more scalable solution for your organization,” urged Mackey.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Security