Linux is a pervasive operating system for good reason. It’s lightweight, flexible, open source, and supports multiple architectures, all of which present great opportunity to innovate and deliver software and services.
In the device world, Linux is ideal for IoT because there’s no heavy GUI. It can be optimized for hardware-level workloads, and the licensing makes it easy for redistribution. Plus, the extensive open source community may have already coded something that suits the needs of a device maker and that can be plugged right in.
The same benefits apply when considering Linux for the cloud. As of 2017, Linux was running 90% of public cloud workloads.
But while Linux itself may be more secure than other operating systems, no OS is really secure on its own. Vulnerabilities are a fact of life, whether it’s an actual software vulnerability, an implementation flaw or otherwise. Indeed, we’ve seen increased interest by cyber-criminals in attacking Linux over recent months and years.
Because of its flexible, open source nature, Linux offers some of the same conveniences for attackers as it does for legitimate developers and service providers.
Yes, one could use customizable malware targeting Linux to infect cloud workloads, databases, and endpoints like mobile devices, connected cameras, cars, and heavy equipment. For Linux, however, you actually don’t really need malware. The Linux shell provides nearly everything an attacker would need from malware anyway. A well-written Linux script is as powerful as any malware, and much easier to obfuscate.
As of 2017, Linux was running 90% of public cloud workloads
If a sophisticated attacker wanted to thoroughly infiltrate a target organization, a potential attack could be designed like this:
- Use a point of entry (possibly through an unsecured mobile device) to scan the network and find what Linux-based systems are running
- Customize a Linux script to integrate with each implementation used by critical systems. This could be done by adjusting the script to target the commands and structure of each or buying actual malware variants for each target
- Run the script to infect each system to encrypt and ransom data, or exfiltrate data to sell as PII or for industrial espionage
With this type of attack, a criminal can simultaneously target and infect all types of critical systems across a corporate environment. A pervasive, laterally moving attack could happen with separate tools for each target by using a shell script slightly modified to infect each system at the OS level.
Think about the criticality of business data stored in cloud workloads and databases. According to a Forrester study in 2019, businesses are expected to spend $12.6 billion on cloud security tools by 2023 to protect this critical data.
Cloud computing is used by consumers and businesses in all industries and in organizations of all sizes, representing a broad attack surface. Most cloud services are built in a secure manner, but the Shared Responsibility Model of cloud services means that the cloud provider and the customer both have responsibilities for securing the environment and the data within. Misconfigurations or errors can leave organizations and their users exposed.
Businesses are expected to spend $12.6 billion on cloud security tools by 2023
Forrester
It is well-known that IoT devices are fallible. Across all use cases and device types, connected devices with embedded Linux-based systems provide a viable target for exploitation, and we know cyber-criminals are exploring how to monetize IoT attacks. As an industry, we spend so much time protecting an employee’s laptop because an attacker could use the endpoint to traverse the network into critical systems running Linux.
After COVID-19, remote working is likely here to stay for many companies globally. This means even more work running in the cloud, and more people buying smart IoT devices to stay connected at home. The risk from attacks on this OS are only increasing. Just about everyone is, or will be, exposed in some way to Linux.
All of this begs the question: How is there so little focus on protecting Linux-based systems when there’s so much opportunity for attackers? The cloud and IoT markets will continue to grow, and criminal interest is likely to follow. With Linux as the common thread, how could we not see an increase in Linux-based malware in the near future?
The solution to this is something every organization needs to be thinking about as part of their overall security strategy. All organizations should work to protect the single common thread across mission critical systems and platforms: Linux.
Erin Sindelar Threat Researcher & Communicator, Trend Micro
