Outdated Linux Versions, Misconfigurations Triggering Cloud Attacks: Report

The “Linux Threat Report 2021 1H” from Trend Micro found that Linux cloud operating systems are heavily targeted for cyberattacks, with nearly 13 million detections in the first half of this year. As organizations expand their footprint in the cloud, correspondingly, they are exposed to the pervasive threats that exist in the Linux landscape.

This latest threat report, released Aug. 23, provides an in-depth look at the Linux threat landscape. It discusses several pressing security issues that affect Linux running in the cloud.

Key findings include that Linux is powerful, universal, and dependable, but not devoid of flaws, according to the researchers. However, like other operating systems, Linux remains susceptible to attacks.

Linux in the cloud powers most infrastructures, and Linux users make up the majority of the Trend Micro Cloud One enterprise customer base at 61 percent, compared to 39 percent Windows users.

The data comes from the Trend Micro Smart Protection Network (SPN) or the data reservoir for all detections across all Trend Micro’s products. The results show enterprise Linux at considerable risk from system configuration mistakes and outdated Linux distributions.

For instance, data from internet scan engine Censys.io revealed that nearly 14 million results for exposed devices running any sort of Linux operating system on July 6, 2021. A search for port 22 in Shodan, a port commonly used for Secure Shell Protocol (SSH) for Linux-based machines, showed almost 19 million exposed devices detected as of July 27, 2021.

Like any operating system, security depends entirely on how you use, configure, or manage the operating system. Each new Linux update tries to improve security. However, to get the value you must enable and configure it correctly, cautioned Joseph Carson, chief security scientist and advisory CISO at Thycotic.

“The state of Linux security today is rather good and has evolved in a positive way, with much more visibility and security features built-in. Nevertheless, like many operating systems, you must install, configure, and manage it with security in mind — as how cybercriminals take advantage is the human touch,” he told LinuxInsider.

Top Linux Threats

The Trend Micro Report disclosed rampant malware families within Linux systems. Unlike previous reports based on malware types, this study focused on the prevalence of Linux as an operating system and the pervasiveness of the various threats and vulnerabilities that stalk the OS.

That approach showed that the top three threat detections originated in the U.S. (almost 40 percent), Thailand (19 percent), and Singapore (14 percent).

Detections arose from systems running end-of-life versions of Linux distributions. The four expired distributions were from CentOS versions 7.4 to 7.9 (almost 44 percent), CloudLinux Server (more than 40 percent), and Ubuntu (about 7 percent).

Trend Micro tracked more than 13 million malware events flagged from its sensors. Researchers then cultivated a list of the prominent threat types consolidated from the top 10 malware families affecting Linux servers from Jan. 1 to June 30, 2021.

The top threat types found in Linux systems in the first half of 2021 are:

  • Coinminers (24.56 percent)
  • Web shell (19.92 percent)
  • Ransomware (11.56 percent)
  • Trojans (9.56 percent)
  • Others (3.15 percent)

The top four Linux distributions where the top threat types in Linux systems were found in H1-2021 are:

  • CentOS Linux (50.80 percent)
  • CloudLinux Server (31.24 percent)
  • Ubuntu Server (9.56 percent)
  • Red Hat Enterprise Linux Server (2.73 percent)

Top malware families include:

  • Coinminers (25 percent)
  • Web shells (20 percent)
  • Ransomware (12 percent)

CentOS Linux and CloudLinux Server are the top Linux distributions with the found threat types, while web application attacks happen to be the most common attack vector.

Web Apps Top Targets

Most of the applications and workloads exposed to the internet run web applications. Web application attacks are among the most common attack vectors in Trend Micro’s telemetry, said researchers.

If launched successfully, web app attacks allow hackers to execute arbitrary scripts and compromise secrets. Web app attacks also can modify, extract, or destroy data. The research shows that 76 percent of the attacks are web-based.

The LAMP stack (Linux, Apache, MySQL, PHP) made it inexpensive and easy to create web applications. In a very real way, it democratized the internet so anyone can set up a web application, according to John Bambenek, threat intelligence advisor at Netenrich.

“The problem with that is that anyone can set up a web app. While we are still waiting for the year of Linux on the desktop, it is important for organizations to use best practices for their web presences. Typically, this means staying on top of CMS patches/updates and routine scanning with even open-source tools (like the Zed Attack Proxy) to find and remediate SQL injection vulnerabilities,” he told LinuxInsider.

The report referenced the Open Web Application Security Project (OWASP) top 10 security risks, which lists injection flaws and cross-scripting (XSS) attacks remaining as high as ever. What strikes Trend Micro researchers as significant is the high number of insecure deserialization vulnerabilities.

This is partly due to the ubiquity of Java and deserialization vulnerabilities in it, according to Trend Micro. It’s report also noted that the Liferay Portal, Ruby on Rails, and Red Hat JBoss deserialization vulnerabilities as being prominent.

Attackers also try to use vulnerabilities where there is broken authentication to gain unauthorized access to systems. Plus, the number of command injection hits also poses a surprise as they are higher than what Trend Micro’s analysts expected.

Expected Trend

It is no surprise that the majority of these attacks are web-based. Every website is different, written by different developers with different skill sets, observed Shawn Smith, director of infrastructure at nVisium.

“There is a wide range of different frameworks across a multitude of languages with various components that all have their own advantages and drawbacks. Combine this with the fact that not all developers are security gurus, and you’ve got an incredibly alluring target,” he told LinuxInsider.

Web servers are one of the most common services to expose to the internet because most of the world interacts with the internet through websites. There are other areas exposed — like FTP or IRC servers — but the vast majority of the world is using websites as their main contact point to the internet.

“As a result, this is where attackers will focus to get the biggest return on investment for their time spent,” Smith said.

OSS Linked to Supply Chain Attacks

Software supply chains must be secured to deal with the Linux attack landscape as well, noted the Trend Micro report. Attackers can insert malicious code to compromise software components of third-party suppliers. That code then connects to a command-and-control server to download and deploy backdoors and other malicious payloads within the system, causing remote code.

This can lead to remote code execution to an enterprise’s system and computing resources. Supply chain attacks can also come from misconfigurations, which are the second top incident type in cloud-native environments, according to the Trend Micro report. More than 56 percent of their survey respondents had a misconfiguration or known unpatched vulnerability incident involving their cloud-native applications.

Hackers are having an easy time. “The major attack types on web-based applications have remained constant over the recent past. That, combined with the rising time-to-fix and declining remediation rates, makes the hackers’ job easier,” said Setu Kulkarni, vice president of strategy at NTT Application Security.

Organizations need to test applications in production, figuring out what their top three-to-five vulnerability types are. Then launch a targeted campaign to address them, rinse, and repeat, he recommended.

The “Linux Threat Report 2021 1H” is available here.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Transportation

Which device do you use most for digital communication?
Loading ... Loading ...

LinuxInsider Channels


How To Fix the Autonomous Electric Car Demand Problem

The automotive market is moving rapidly to make and sell autonomous vehicles, but the studies I’ve seen suggest that two out of three drivers don’t want them.

I’ve seen this resistance to new technology several times over the years. In cars, we had the early voice technology that replaced idiot lights, automatic seatbelts that wrapped around your neck if you were looking out the window when you opened your door, and cars like the Pontiac Aztek that must have been created by a drunk design team.

In the autonomous car segment, we have Tesla which seems to be going out of its way to scare us away from this technology, even as it tries to get us to subscribe to it rather than buy it.

This week, let’s talk about what the industry is doing wrong with its positioning of autonomous electric cars. Then we’ll close with my product of the week, an impressive line of student focused, durable laptops from HP.

Giving Up a Privilege

One thing that should be clear to everyone this year is that a lot of people don’t like giving up a privilege, even if it is in their best interest to do so.

When people fought seatbelts in cars, they had to be mandated. When people fought helmets for motorcycle riders, they had to be mandated. Recently because of the pandemic, people fought masks and vaccines — and are still fighting them — even though they were mandated.

But people will wear hats and dress warmly in winter and use umbrellas when it rains. The trick seems to be to position the solution not as punishment, or loss of some freedom, but as a protection or comfort.

For instance, while I don’t like wearing a mask in the summer, in the winter it keeps my face warm, and I wonder why I haven’t always worn one outside in the cold. We could design masks that are more comfortable, more effective, and that look good, while also talking about mask wearing’s additional benefits like not catching colds and keeping bugs out of our mouths.

If you want to be more successful with masks, just make them a better fashion choice. That alone would make using them more attractive to many of us.

Often, we are far more responsive to carrots than sticks. That should be our approach to autonomous cars.

Chauffeur vs. Guardian

As highlighted by Toyota, years ago, there are two potential modes for autonomous driving: Chauffeur, which handles all the driving; and Guardian, which gives the option of letting the car drive for you and protecting against the human mistakes you might otherwise make.

For instance, in Guardian mode the vehicle would see that another car was running a stoplight and stop your car, preventing a collision. It could tell that you are driving distractedly and keep your car in the lane safely; and it would detect an accident a mile ahead and, if you weren’t paying attention, act to avoid it.

In Chauffeur mode, you don’t have the option to drive. Using Guardian, you are protected from accidents that might damage your car, or harm you or those you care about.

Remember that in Guardian mode you could choose to turn off the technology, but there will be a record that you’ve done so. If you subsequently have an accident, you’ll be liable, and your insurance company won’t be pleased. If you have an accident when in Guardian mode because of another driver’s screw up, there’s a record of it, as well, and neither you nor the car manufacturer should be liable.

So, with Chauffeur, which is the option we seem to be focusing on, you lose the ability to drive. With Guardian, you become a better, safer driver, and there is even an advantage for those of us that track our cars. For cars that are tracked, it can also be an instructor, automatically teaching you how to steer clean lines around corners and how to properly hit an apex while keeping you from exceeding the car’s capabilities and crashing, making track day insurance far cheaper and easier to get.

Touting Electric Cars

When it comes to electric cars, we tend to focus on range limitations, the lack of a charging infrastructure and no ‘vroom’ sounds.

What we seem to forget is that decades ago when GM brought out far less capable electrics people loved them so much that they didn’t want to give them back. This was because you didn’t have to worry about bad gas, gas prices, most breakdowns, or forgetting to fill up (because your car is charged in your own garage when you park it for the night).

Yes, they still suck for long-distance drives, but that is changing. How many of us take long drives in our cars anymore?

Electric cars generally work a ton better when traction is iffy because you can apply torque more evenly (mine is like a tank in the snow), and the same is true off-road. Although they aren’t great on a road track due to range and weight issues, they are awesome on a drag strip, yet everyone and their brother seems to want to showcase them on road tracks. There are a few Tesla drivers who regularly embarrass ICE cars that were built for drags trips.

So, the trick to selling electric cars is to promote their benefits and target audiences that will make the best use of them, like people with garages they can charge in, those that have short commutes, and folks that need the unique benefits that EVs can provide.

Electrics make a ton more sense as a pickup truck than almost any other configuration, given how people drive those. That’s something Rivian seemed to understand but Tesla didn’t.

2022 Rivian R1T

2022 Rivian R1T (Credit: Rivian)

Wrapping Up

Autonomous cars will save lives, electric cars will help save the planet, but neither will meet expectations if they aren’t showcased as a benefit rather than a punishment.

Driving an electric to help save our environment sounds like a punishment, while buying one because it will be a far better vehicle to drive sounds like a reward.

Getting an autonomous vehicle that prevents you from driving sounds like a punishment, while getting one that keeps you, your spouse, and kids safer while allowing you to smile and wave at the gas stations you no longer need is a privilege.

Autonomous electric cars won’t be for everyone for a few years yet. But if the industry doesn’t start focusing on the advantages rather than the shortcomings, the related sales won’t meet expectations and we won’t see the benefits to the planet or reduced traffic fatalities that will result from having them at scale very quickly.

This isn’t a technology problem. It’s a marketing problem. If the industry doesn’t figure this out, it will become our problem, regardless.

Rob Enderle's Technology Product of the Week

HP Fortis Laptops for the Education Sector

This week, my product of the week isn’t one product but a new line of PCs for the education market.

What makes this line unique is that it is hardened. It reminds me of a project that came out around 20 years ago called StudyPro. This was a joint effort between Intel and Microsoft in the late 1990s, before Wi-Fi, and they rolled out a lot of them as a trial. That laptop used diffuse IR for connectivity. It was a seven-pound titanium product that the presenter tossed across the stage and jumped on to showcase its durability. Obviously, it was built to survive kids.

I remember commenting at the time that there were a few sales reps who were particularly hard on laptops I’d like to see get one. Finally, it was connected to remote service (this was long before the cloud) to provide centralized management.

Since then, it often seemed like the OEMs, instead of promoting hardened products for kids, built cheap products that didn’t hold up in schools and were problematic to support. Well that just changed.

HP last week announced a new line of laptops for kids called Fortis. These are durable laptops that remind me of that old StudyPro, but they come with up-to-date technology and are designed for the kind of grief and creativity that kids can provide.

HP ProBook Fortis 14”

HP ProBook Fortis 14″ Windows laptop (Credit: HP)

The G9 lines are for grade school, while the G10s are for older students that will need more power. However, I can imagine several scenarios where adults might prefer these for their own PCs because kids often borrow their parents’ laptops.

HP Pro x360 Fortis

A flexible 360-degree hinge on the HP Pro x360 Fortis 11″ G9 and HP Pro x360 Fortis 11″ G10 lets students learn in interactive and personalized ways. (Credit: HP)

For kids that need more screen space than low weight or portability, there are the 14-inch products. For those that want more portability than screen size, the 11-inch products are a good fit. There’s even an 11-inch G9 Chromebook for those that are working in Google centric schools.

HP Fortis 11” G9 Q Chromebook side view

The 11″ G9 Q Chromebook is HP’s thinnest and lightest Fortis device. (Credit: HP)

Kids are hard on technology, and it is my view that laptops for kids should be some of the most robust laptops made because kids are hard on things. HP stepped up with these durable devices for blended learning environments — and its Fortis line is my product(s) of the week.

The opinions expressed in this article are those of the author and do not necessarily reflect the views of ECT News Network.

Rob Enderle has been an ECT News Network columnist since 2003. His areas of interest include AI, autonomous driving, drones, personal technology, emerging technology, regulation, litigation, M&E, and technology in politics. He has an MBA in human resources, marketing and computer science. He is also a certified management accountant. Enderle currently is president and principal analyst of the Enderle Group, a consultancy that serves the technology industry. He formerly served as a senior research fellow at Giga Information Group and Forrester. Email Rob.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories