Outdated Linux Versions, Misconfigurations Triggering Cloud Attacks: Report

The “Linux Threat Report 2021 1H” from Trend Micro found that Linux cloud operating systems are heavily targeted for cyberattacks, with nearly 13 million detections in the first half of this year. As organizations expand their footprint in the cloud, correspondingly, they are exposed to the pervasive threats that exist in the Linux landscape.

This latest threat report, released Aug. 23, provides an in-depth look at the Linux threat landscape. It discusses several pressing security issues that affect Linux running in the cloud.

Key findings include that Linux is powerful, universal, and dependable, but not devoid of flaws, according to the researchers. However, like other operating systems, Linux remains susceptible to attacks.

Linux in the cloud powers most infrastructures, and Linux users make up the majority of the Trend Micro Cloud One enterprise customer base at 61 percent, compared to 39 percent Windows users.

The data comes from the Trend Micro Smart Protection Network (SPN) or the data reservoir for all detections across all Trend Micro’s products. The results show enterprise Linux at considerable risk from system configuration mistakes and outdated Linux distributions.

For instance, data from internet scan engine Censys.io revealed that nearly 14 million results for exposed devices running any sort of Linux operating system on July 6, 2021. A search for port 22 in Shodan, a port commonly used for Secure Shell Protocol (SSH) for Linux-based machines, showed almost 19 million exposed devices detected as of July 27, 2021.

Like any operating system, security depends entirely on how you use, configure, or manage the operating system. Each new Linux update tries to improve security. However, to get the value you must enable and configure it correctly, cautioned Joseph Carson, chief security scientist and advisory CISO at Thycotic.

“The state of Linux security today is rather good and has evolved in a positive way, with much more visibility and security features built-in. Nevertheless, like many operating systems, you must install, configure, and manage it with security in mind — as how cybercriminals take advantage is the human touch,” he told LinuxInsider.

Top Linux Threats

The Trend Micro Report disclosed rampant malware families within Linux systems. Unlike previous reports based on malware types, this study focused on the prevalence of Linux as an operating system and the pervasiveness of the various threats and vulnerabilities that stalk the OS.

That approach showed that the top three threat detections originated in the U.S. (almost 40 percent), Thailand (19 percent), and Singapore (14 percent).

Detections arose from systems running end-of-life versions of Linux distributions. The four expired distributions were from CentOS versions 7.4 to 7.9 (almost 44 percent), CloudLinux Server (more than 40 percent), and Ubuntu (about 7 percent).

Trend Micro tracked more than 13 million malware events flagged from its sensors. Researchers then cultivated a list of the prominent threat types consolidated from the top 10 malware families affecting Linux servers from Jan. 1 to June 30, 2021.

The top threat types found in Linux systems in the first half of 2021 are:

  • Coinminers (24.56 percent)
  • Web shell (19.92 percent)
  • Ransomware (11.56 percent)
  • Trojans (9.56 percent)
  • Others (3.15 percent)

The top four Linux distributions where the top threat types in Linux systems were found in H1-2021 are:

  • CentOS Linux (50.80 percent)
  • CloudLinux Server (31.24 percent)
  • Ubuntu Server (9.56 percent)
  • Red Hat Enterprise Linux Server (2.73 percent)

Top malware families include:

  • Coinminers (25 percent)
  • Web shells (20 percent)
  • Ransomware (12 percent)

CentOS Linux and CloudLinux Server are the top Linux distributions with the found threat types, while web application attacks happen to be the most common attack vector.

Web Apps Top Targets

Most of the applications and workloads exposed to the internet run web applications. Web application attacks are among the most common attack vectors in Trend Micro’s telemetry, said researchers.

If launched successfully, web app attacks allow hackers to execute arbitrary scripts and compromise secrets. Web app attacks also can modify, extract, or destroy data. The research shows that 76 percent of the attacks are web-based.

The LAMP stack (Linux, Apache, MySQL, PHP) made it inexpensive and easy to create web applications. In a very real way, it democratized the internet so anyone can set up a web application, according to John Bambenek, threat intelligence advisor at Netenrich.

“The problem with that is that anyone can set up a web app. While we are still waiting for the year of Linux on the desktop, it is important for organizations to use best practices for their web presences. Typically, this means staying on top of CMS patches/updates and routine scanning with even open-source tools (like the Zed Attack Proxy) to find and remediate SQL injection vulnerabilities,” he told LinuxInsider.

The report referenced the Open Web Application Security Project (OWASP) top 10 security risks, which lists injection flaws and cross-scripting (XSS) attacks remaining as high as ever. What strikes Trend Micro researchers as significant is the high number of insecure deserialization vulnerabilities.

This is partly due to the ubiquity of Java and deserialization vulnerabilities in it, according to Trend Micro. It’s report also noted that the Liferay Portal, Ruby on Rails, and Red Hat JBoss deserialization vulnerabilities as being prominent.

Attackers also try to use vulnerabilities where there is broken authentication to gain unauthorized access to systems. Plus, the number of command injection hits also poses a surprise as they are higher than what Trend Micro’s analysts expected.

Expected Trend

It is no surprise that the majority of these attacks are web-based. Every website is different, written by different developers with different skill sets, observed Shawn Smith, director of infrastructure at nVisium.

“There is a wide range of different frameworks across a multitude of languages with various components that all have their own advantages and drawbacks. Combine this with the fact that not all developers are security gurus, and you’ve got an incredibly alluring target,” he told LinuxInsider.

Web servers are one of the most common services to expose to the internet because most of the world interacts with the internet through websites. There are other areas exposed — like FTP or IRC servers — but the vast majority of the world is using websites as their main contact point to the internet.

“As a result, this is where attackers will focus to get the biggest return on investment for their time spent,” Smith said.

OSS Linked to Supply Chain Attacks

Software supply chains must be secured to deal with the Linux attack landscape as well, noted the Trend Micro report. Attackers can insert malicious code to compromise software components of third-party suppliers. That code then connects to a command-and-control server to download and deploy backdoors and other malicious payloads within the system, causing remote code.

This can lead to remote code execution to an enterprise’s system and computing resources. Supply chain attacks can also come from misconfigurations, which are the second top incident type in cloud-native environments, according to the Trend Micro report. More than 56 percent of their survey respondents had a misconfiguration or known unpatched vulnerability incident involving their cloud-native applications.

Hackers are having an easy time. “The major attack types on web-based applications have remained constant over the recent past. That, combined with the rising time-to-fix and declining remediation rates, makes the hackers’ job easier,” said Setu Kulkarni, vice president of strategy at NTT Application Security.

Organizations need to test applications in production, figuring out what their top three-to-five vulnerability types are. Then launch a targeted campaign to address them, rinse, and repeat, he recommended.

The “Linux Threat Report 2021 1H” is available here.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cloud Computing

Which review ratings influence your decision to purchase a product or service?
- select any that apply -
Loading ... Loading ...

LinuxInsider Channels

Canonical Lets Loose Ubuntu 22.04 LTS ‘Jammy Jellyfish’

Canonical Ubuntu 22.04 LTS (Jammy Jellyfish)
Credit: Canonical

Canonical’s Ubuntu 22.04 LTS, aka “Jammy Jellyfish,” is now generally available with features that raise the bar for open source — from cloud, to edge, to IoT and workstations.

The desktop version is one of the biggest LTS releases from Ubuntu with respect to visual and feature changes. This major upgrade to GNOME 42 brings changes to the desktop itself in terms of layout, appearance, and how things work.

If the Ubuntu desktop is your only connection to Canonical’s infrastructure, you can expect some mild and minor hands-on adjustments. If you deal with the rest of Ubuntu’s enterprise world, you will find a lot more hardcore improvements in security and performance for IoT and cloud computing connections.

Canonical announced the new release on Thursday, detailing features that bring significant leaps forward in cloud confidential computing, real-time kernel for industrial applications, and enterprise Active Directory, PCI-DSS, HIPAA, FIPS, and FedRAMP compliance.

The new desktop release, however, comes without the anticipated new installer, which uses flutter, an open-source user interface, noted Oliver Smith, Canonical’s program manager for the Ubuntu desktop. The flutter element is not fully ready for deployment. Instead, Canonical will release a build of 22.04 that does feature the new installer later in the update cycle.

“I think when you are dealing with something that we want to support for five years, and we were expecting a huge amount of adoption, we just did not feel that we would have the opportunity to test across all the different sort of ranges of hardware and use cases that we wanted to get (for) confidence to go live out of the box,” Smith explained.

“It is evolving a lot in the background, but just the timing did not quite work out for this release.”

Ubuntu Desktop Still in Focus

The range of use cases that involve Ubuntu Server, IoT, and cloud OS installations, is not making the Ubuntu desktop edition less significant, according to Mark Shuttleworth, CEO of Canonical. He denied the Ubuntu desktop itself is less important now than other enterprise factors in response to a reporter’s question Tuesday during a virtual presentation.

“Our mission is to be a secure, reliable, and consistent open-source platform everywhere,” he said. “Ubuntu 22.04 LTS unlocks innovation for industries with demanding infrastructure security requirements, such as telecommunications and industrial automation, underpinning their digital transformation.”

So the desktop is sort of central to Ubuntu’s narrative, Shuttleworth added. It is also central to the kind of innovation work a lot of the company’s developers do within Intel.

“For example, [improvements] enable the same sorts of high-end capabilities whether those are battery life or performance capabilities on Linux that they achieve on platforms like Windows,” he said. “Those are really important.”

In terms of resources, Canonical has about 60 people working with its various partners — Dell, HP, Lenovo — and the industry supply chain on the desktop. Plus, another 20 engineers or so work on core desktop capabilities, he noted.

Ubuntu Adoption Grows Deep

Ubuntu is deeply integrated into public clouds and optimized for performance, security, and ease of use. A key new capability is confidential computing, which greatly improves data protection and privacy in leading public clouds without requiring any changes to existing application deployments.

Ubuntu is the only Linux distribution supporting Azure confidential VMs, according to Vikas Bhatia, head of product for Azure Confidential Computing at Canonical. To ensure great performance on Arm, Canonical also optimized Ubuntu 22.04 LTS images for AWS Graviton.

On AWS, Ubuntu is available from EC2, with multiple images including support for the latest Graviton chips, all the way to containers. This includes the latest Arm servers, Ampere A1, that provide high-performing and cost-effective solutions for all types of workloads, he said.

Other Major Ubuntu Plaudits

Innovators on Raspberry Pi get the first long-term support release with Ubuntu Desktop support on the Raspberry Pi 4. The entire recent Raspberry Pi device portfolio is supported for the very first time, from the new Raspberry Pi Zero 2W to the Raspberry Pi 4, said Eben Upton, CEO of Raspberry Pi Trading.

“It is great to see a certified Ubuntu Desktop release that includes support for the 2 GB Raspberry Pi 4, giving developers all over the world access to the most affordable development desktop environment,” he said.

Ubuntu WSL (Windows Subsystem for Linux) delivers deep integration with native Windows development environments like Visual Studio Code and Docker Desktop across a shared file system. Users mix Windows and Linux commands to create efficient workflows for data science, web development, and IT systems management. Users of Ubuntu WSL can upgrade to 22.04 LTS directly.

For Windows and macOS developers, Multipass provides Ubuntu 22.04 LTS VMs on-demand with full cloud-init for cloud prototyping at home. Multipass gains Apple M1 support, making it the best way to drive development for new ARM cloud instances, according to Canonical. Multipass has also added support for Docker workflows to unify the developer experience for cloud and cloud-native applications.

For shared development environments, multi-user LXD offers per-user project segregation. This addition restricts specific user permissions so multiple people can safely share the same LXD cluster.

Foundation for Data-Sensitive Workloads

Ubuntu is the platform of choice to run Microsoft SQL Server on Azure with enterprise-grade support, noted Canonical. SQL Server on Ubuntu Pro LTS for Azure offers scalability and performance.

It also gives business-critical SQL Server workloads access to comprehensive open-source security on Azure. Nvidia virtual GPU (vGPU) software drivers are generally available now.

Data scientists can natively install Nvidia vGPU Software 14.0 and benefit from highly-performant GPU resources across multiple virtual machines simultaneously. This allows data scientists to use parallel, isolated advanced AI/ML workloads to help ensure that the underlying hardware resources are used efficiently.

“Enterprises, data scientists and developers building AI solutions require integrated systems and software that easily support MLOps workflows,” said Manuvir Das, vice president of Enterprise Computing at Nvidia.

“Organizations can now run Nvidia AI on Ubuntu to help solve some of humanity’s biggest challenges with new products and systems that simplify operations, boost safety, and improve communication,” Das added.

Other Ubuntu Strengths

The Ubuntu 22.04 LTS base image is available on Docker Hub along with a Canonical-maintained portfolio of secure and stable LTS application container images. Existing LTS Docker images on Ubuntu will receive new long-term supported 22.04-based tracks.

These include MySQL, PostgreSQL, and Nginx. The open-source applications portfolio is expanding further, focusing on Observability and Big Data, with new Grafana Loki, Apache Kafka, and Apache Cassandra container images.

“Ubuntu plays an essential role on Docker Hub, as one of the most popular Docker Official Images,” said Webb Stevens, senior vice president of Secure Software Supply chain at Docker.

Real-Time Kernel, Too

Canonical also reported that the Ubuntu 22.04 LTS real-time kernel is available in beta.

Designed to meet telco network transformation needs for 5G, the real-time kernel delivers performance, guaranteed ultra-low latency, and security for critical infrastructure. This new kernel also serves latency-sensitive use cases in industrial automation and robotics. It handles real-time applications like Cloud RAN,” said Dan Lynch, marketing director at Intel.

“The real-time kernel in Ubuntu 22.04 LTS leverages the acceleration from Intel hardware, allowing us to compete on even terms with the biggest network equipment providers,” said Radoslaw Adamczyk, technical lead at IS-Wireless, which develops and delivers mobile networks in the OpenRAN model.

That offers the ability to have one platform for the whole stack, from bare metal with MaaS to Ubuntu OS, LXD VM and Microk8s on the edge. Ubuntu 22.04 LTS adds Rust for memory-safe systems-level programming. It also moves to OpenSSL v3, with new cryptographic algorithms for elevated security.

Desktop Highlights

Ubuntu’s default GNOME desktop gains significant usability, battery, and performance improvements with the GNOME 42 upgrade featuring GNOME power profiles and streamlined workspace transitions alongside significant optimizations which can double the desktop frame rate on Intel and Raspberry Pi graphics drivers.

GNOME 42 brings a horizontal workspace view alongside the horizontal application view. The changes in will require some muscle memory changes to get used to updated and new applications.

Expect lots of new looks. Some of the notable upgrades involve changes to the base color scheme and the Jammy Jellyfish default wallpaper.

File Manager has a more compact look, and new screenshot tools changes how you do captures.

Available for Download

Ubuntu 22.04 LTS Jammy Jellyfish is available now on Ubuntu Downloads and major public clouds.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cloud Computing