13 million malware attacks on Linux

Linux-based operating systems are being targeted more and more frequently, largely thanks to its prevalence in public cloud workloads. More than 13 million attempted malware attacks were detected between January and June 2021 alone. This is according to Trend Micro analysis.

Increase in the use of cloud services

In its newly published report Linux threat report 2021 1H: Linux threats in the cloud and security recommendations, which is available in full here, Trend Micro’s analysts detail how cyber criminals are following organisations that have upped their use of cloud services during the pandemic.

Because the vast majority of public cloud workloads run on Linux, the operating system has become the key driver behind virtually every single digital transformation project currently undertaken. And this makes the security of Linux environments ever-more critical as malicious actors become more and more interested in exploiting them.

Aaron Ansari, VP of cloud security at Trend Micro, explained: “It’s safe to say that Linux is here to stay, and as organisations continue to move to Linux-based cloud workloads, malicious actors will follow. We have seen this as a main priority to ensure our customers receive the best security across their workloads, no matter the operating system they choose to run it on.”

Trend Micro found that 25% of malwares currently hitting Linux servers are cryptominers, which it added should not be surprising because the cloud holds a “seemingly endless” amount of computing power and that makes it the perfect environment for illicit cryptocurrency mining.

Most prevalent malwares reported

The second most widespread type of malwares reported were web shells, accounting for 20% of attacks and recent and ongoing attacks on Microsoft Exchange servers have highlighted the importance of protecting against web shells.

The third most commonly observed attacks were from ransomwares, accounting for 12% of malicious incidents. The most prevalent variety targeting Linux environments was DoppelPaymer, although there were many others widespread, including RansomExx, DarkRadiation and DarkSide.

The top Linux distributions impacted by these threats were CentOS Linux, which accounted for just under 51% of incidents. This is in part because versions 7.4 to 7.9 of CenOS have been end-of-lifed. CloudLinux Server accounted for 31.2% of incidents, Ubuntu Server for 9.6%, and Red Hat Enterprise Linux Server for 2.7%.

Tim Mackey, a principal security strategist at the Synopsys Cybersecurity Research Centre, said that given the foundational nature of Linux for cloud computing and technologies such as Docker and Kubernetes, a solid understanding of the associated security issues and requirements should be an important part of a sysadmin’s or SRE’s role in a DevOps team.

“Increasingly, securing Linux systems means securing the application layer and understanding the latent security risks present in pre-packaged runtime environments like those of VMs and containers,” he said. “Addressing these risks requires a systematic approach employing continuous improvement methodologies based on an understanding of how weaknesses in code and configurations contribute to exploitable environments,” explained MacKey.