Outdated Linux Versions, Misconfigurations Triggering Cloud Attacks: Report

The “Linux Threat Report 2021 1H” from Trend Micro found that Linux cloud operating systems are heavily targeted for cyberattacks, with nearly 13 million detections in the first half of this year. As organizations expand their footprint in the cloud, correspondingly, they are exposed to the pervasive threats that exist in the Linux landscape.

This latest threat report, released Aug. 23, provides an in-depth look at the Linux threat landscape. It discusses several pressing security issues that affect Linux running in the cloud.

Key findings include that Linux is powerful, universal, and dependable, but not devoid of flaws, according to the researchers. However, like other operating systems, Linux remains susceptible to attacks.

Linux in the cloud powers most infrastructures, and Linux users make up the majority of the Trend Micro Cloud One enterprise customer base at 61 percent, compared to 39 percent Windows users.

The data comes from the Trend Micro Smart Protection Network (SPN) or the data reservoir for all detections across all Trend Micro’s products. The results show enterprise Linux at considerable risk from system configuration mistakes and outdated Linux distributions.

For instance, data from internet scan engine Censys.io revealed that nearly 14 million results for exposed devices running any sort of Linux operating system on July 6, 2021. A search for port 22 in Shodan, a port commonly used for Secure Shell Protocol (SSH) for Linux-based machines, showed almost 19 million exposed devices detected as of July 27, 2021.

Like any operating system, security depends entirely on how you use, configure, or manage the operating system. Each new Linux update tries to improve security. However, to get the value you must enable and configure it correctly, cautioned Joseph Carson, chief security scientist and advisory CISO at Thycotic.

“The state of Linux security today is rather good and has evolved in a positive way, with much more visibility and security features built-in. Nevertheless, like many operating systems, you must install, configure, and manage it with security in mind — as how cybercriminals take advantage is the human touch,” he told LinuxInsider.

Top Linux Threats

The Trend Micro Report disclosed rampant malware families within Linux systems. Unlike previous reports based on malware types, this study focused on the prevalence of Linux as an operating system and the pervasiveness of the various threats and vulnerabilities that stalk the OS.

That approach showed that the top three threat detections originated in the U.S. (almost 40 percent), Thailand (19 percent), and Singapore (14 percent).

Detections arose from systems running end-of-life versions of Linux distributions. The four expired distributions were from CentOS versions 7.4 to 7.9 (almost 44 percent), CloudLinux Server (more than 40 percent), and Ubuntu (about 7 percent).

Trend Micro tracked more than 13 million malware events flagged from its sensors. Researchers then cultivated a list of the prominent threat types consolidated from the top 10 malware families affecting Linux servers from Jan. 1 to June 30, 2021.

The top threat types found in Linux systems in the first half of 2021 are:

  • Coinminers (24.56 percent)
  • Web shell (19.92 percent)
  • Ransomware (11.56 percent)
  • Trojans (9.56 percent)
  • Others (3.15 percent)

The top four Linux distributions where the top threat types in Linux systems were found in H1-2021 are:

  • CentOS Linux (50.80 percent)
  • CloudLinux Server (31.24 percent)
  • Ubuntu Server (9.56 percent)
  • Red Hat Enterprise Linux Server (2.73 percent)

Top malware families include:

  • Coinminers (25 percent)
  • Web shells (20 percent)
  • Ransomware (12 percent)

CentOS Linux and CloudLinux Server are the top Linux distributions with the found threat types, while web application attacks happen to be the most common attack vector.

Web Apps Top Targets

Most of the applications and workloads exposed to the internet run web applications. Web application attacks are among the most common attack vectors in Trend Micro’s telemetry, said researchers.

If launched successfully, web app attacks allow hackers to execute arbitrary scripts and compromise secrets. Web app attacks also can modify, extract, or destroy data. The research shows that 76 percent of the attacks are web-based.

The LAMP stack (Linux, Apache, MySQL, PHP) made it inexpensive and easy to create web applications. In a very real way, it democratized the internet so anyone can set up a web application, according to John Bambenek, threat intelligence advisor at Netenrich.

“The problem with that is that anyone can set up a web app. While we are still waiting for the year of Linux on the desktop, it is important for organizations to use best practices for their web presences. Typically, this means staying on top of CMS patches/updates and routine scanning with even open-source tools (like the Zed Attack Proxy) to find and remediate SQL injection vulnerabilities,” he told LinuxInsider.

The report referenced the Open Web Application Security Project (OWASP) top 10 security risks, which lists injection flaws and cross-scripting (XSS) attacks remaining as high as ever. What strikes Trend Micro researchers as significant is the high number of insecure deserialization vulnerabilities.

This is partly due to the ubiquity of Java and deserialization vulnerabilities in it, according to Trend Micro. It’s report also noted that the Liferay Portal, Ruby on Rails, and Red Hat JBoss deserialization vulnerabilities as being prominent.

Attackers also try to use vulnerabilities where there is broken authentication to gain unauthorized access to systems. Plus, the number of command injection hits also poses a surprise as they are higher than what Trend Micro’s analysts expected.

Expected Trend

It is no surprise that the majority of these attacks are web-based. Every website is different, written by different developers with different skill sets, observed Shawn Smith, director of infrastructure at nVisium.

“There is a wide range of different frameworks across a multitude of languages with various components that all have their own advantages and drawbacks. Combine this with the fact that not all developers are security gurus, and you’ve got an incredibly alluring target,” he told LinuxInsider.

Web servers are one of the most common services to expose to the internet because most of the world interacts with the internet through websites. There are other areas exposed — like FTP or IRC servers — but the vast majority of the world is using websites as their main contact point to the internet.

“As a result, this is where attackers will focus to get the biggest return on investment for their time spent,” Smith said.

OSS Linked to Supply Chain Attacks

Software supply chains must be secured to deal with the Linux attack landscape as well, noted the Trend Micro report. Attackers can insert malicious code to compromise software components of third-party suppliers. That code then connects to a command-and-control server to download and deploy backdoors and other malicious payloads within the system, causing remote code.

This can lead to remote code execution to an enterprise’s system and computing resources. Supply chain attacks can also come from misconfigurations, which are the second top incident type in cloud-native environments, according to the Trend Micro report. More than 56 percent of their survey respondents had a misconfiguration or known unpatched vulnerability incident involving their cloud-native applications.

Hackers are having an easy time. “The major attack types on web-based applications have remained constant over the recent past. That, combined with the rising time-to-fix and declining remediation rates, makes the hackers’ job easier,” said Setu Kulkarni, vice president of strategy at NTT Application Security.

Organizations need to test applications in production, figuring out what their top three-to-five vulnerability types are. Then launch a targeted campaign to address them, rinse, and repeat, he recommended.

The “Linux Threat Report 2021 1H” is available here.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

Which device do you use most for digital communication?
Loading ... Loading ...

LinuxInsider Channels

Zoho’s Surround Strategy


I’ve been on and off trying to get a handle on Zoho for a long time, feeling that calling it an SMB solution didn’t do it justice, but I was stumped. The company provides roughly 50 apps and more services and widgets in a product set that culminates in Zoho One — which Zoho bills as “The Operating System for Business.”

My biggest challenge has been how to categorize it, because while it has a lot of CRM/CX and back-office accounting and finance, neither fit well enough to me.

Zoho’s solutions seem to be aimed at the middle of the market, though it has made moves in the direction of the enterprise. Still, if you’re a Global 500 company you buy Microsoft, Oracle, Salesforce, or one of the other CRM vendors — and if you want ERP you go for Oracle or NetSuite or Microsoft or SAP.

So, what was their angle? In my travels I’ve found companies of varying sizes and in multiple industries that have those other brands along with Zoho, because Zoho integrates and does things that those vendors don’t. It took a while for me to understand that was the point.

Zoho is certainly capable of running a small or medium business and it really shines when an organization requires an app or a module that needs to be built from scratch.

Actually, in this case, “from scratch” doesn’t mean starting from nothing. There’s always a Zoho module or three that can converge on a business problem to deliver a just-right solution with a little configuration and workflow help. The platform includes the newly released no-code tool, Zoho Canvas, a low-code tool, Zoho Creator, and a pro-code platform, Zoho Catalyst.

‘Rip and Replace’ Alternative

What I realized finally is that Zoho is a whole company dedicated to an approach that I’d been calling the “surround strategy” for a long time, but on a smaller level.

Surround strategy is the antithesis of rip and replace. Rather than replacement, a business can move parts of its workload from some workhorse system, say ERP, to Zoho — where things like pre-built reports and Zia, an AI-based digital assistant, can help business users interrogate data stored on the mothership.

I’ve seen this before but not at this level. Typically, many of my clients will embrace a surround strategy on the way to full replacement of an older system. But Zoho seems content, for now at least, to be the system of engagement for other, better known, systems of record.

Moreover, a typical rip and replacement happens around one system such as CRM or ERP, but often not both at once.

Departmental Solutions

Zoho deployments might start with a departmental solution but very quickly the deployment spreads and often that spread is organic.

For instance, Zoho People is its HR solution. But is HR a front- or back-office app? We know it’s both and where it sits is a decision rooted in company history. As a result, HR may not get all the love it deserves because organizationally it’s treated as an orphan. That’s a prime target for Zoho because, more than most companies with one foot in each camp, they don’t obsess about the front- to back-office divide.

Much the same can be said about collaboration. It’s still a new concept within most organizations and most vendors that I know treat collaboration as a monolithic system.

Zoho, on the other hand, checks the collaboration box with Cliq, then follows up with Projects for, yes, managing projects, Workdrive for storing project documents in one place, and Sites which can enable a business to generate a portal for the project possibly involving the customer.

Okay, Zoho is not the only company with this kind of functionality, but it does a lot to bring it all to the small, medium, and large user starting at $37 per month. Forgive me for perseverating, but all this is context for Zoho’s recent product announcements which are too numerous to recount here — so I’ll just provide a couple I find interesting.

Zoho One Platform Offerings

First thing to note is that all of Zoho One is built on one platform, no integrations required, and data really shows up seamlessly in all of the modules. The platform includes the aforementioned Zoho Canvas, Zoho Creator, and Zoho Catalyst.

One of my favorite new additions is the Org Dictionary — an organization-wide service that offers a central dictionary for the entire organization. It automatically incorporates the organization’s employee names and other sources to offer a central, consistent, dictionary across various Zoho applications and users. Analytics figures out who works with whom, what they do, and how they tree up, to keep teams and projects organized.

Then there’s Zoho Commerce which, as the name implies, enables retailers to build online shops with the tools needed to construct a website, accept orders, track inventory, process payments, manage shipping, market their brand, and analyze data. Zoho Commerce also integrates with third-party payment gateways.

There’s a whole raft of functionality made necessary by working away from the office:

  • Mobile Application Management — enables admins to set up and manage employee’s devices and standardize on permissions, policies, locking and wiping devices remotely
  • Zoho Learn — a learning management and course builder
  • Zoho Lens — for collaboration and communication including augmented reality annotation
  • TeamInbox — to cut down on the duplication of messages and lost information for project teams or any group of people on a task

I’m not going into excruciating detail about CRM or ERP because they are fine and because Zoho’s surround approach to its customers is what really stands out.

Maybe we weren’t paying enough attention earlier, it seems like Zoho has found a way to be not simply the operating system for business that it claims to be; but instead, I think it has become the system of engagement for a lot of businesses and an important common denominator.

Denis Pombriant is a well-known CRM industry analyst, strategist, writer and speaker. His new book, You Can't Buy Customer Loyalty, But You Can Earn It, is now available on Amazon. His 2015 book, Solve for the Customer, is also available there. Email Denis.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories