Overview

The cybersecurity landscape is constantly evolving, even if the ultimate goal of our attackers remains consistent. Linux systems are increasingly targeted by sophisticated threat actors, ranging from Nation/State-backed actors, to organized criminal groups. TechJury[1] and Trend Micro[2] reports (from mid-2023) highlight a significant rise in Linux-targeted attacks in general and, specifically, malware deployments.

This increase in threat activity requires an informed and proactive response from cybersecurity professionals. It is important that we understand the attacker behaviors and are able to take the right measures to detect and respond. This post includes a summary of the key findings from the reports and how it can impact you as a cybersecurity professional.

The changing threat landscape

1. The Growing Menace of Linux Malware

• TechJury's report states: "Linux-based digital threats are on the rise in 2023, with over 1.9 million threats in 2022, a YoY increase of almost 50%".
• Trend Micro's similar findings underscore a 62% increase in Linux ransomware attack attempts from the first quarter of 2022 to 2023, marking a concerning trend.

Combined, this reflects the reality that our adversaries will constantly look for ways to gain access to sensitive information or valuable data.

For a long time, people have believed that “Linux is immune to Malware” (a Myth busted by the Trend Micro report), but the truth is very different. Unfortunately, as Linux environments often have limited security tools in place (and the tools are often less capable), even basic payloads like Meterpreter shells can be very effective.

2. Key Threat Types Identified

• TechJury categorizes the major threats to Linux as "Ransomware, Botnet, Cryptojacking, and Rootkits," with detailed examples of each.
• Trend Micro echoes this, emphasizing the high prevalence of "web shells" and the ongoing threat of "ransomware" in the Linux ecosystem.

Again, this indicates the flexibility within adversary groups and their willingness to take advantage of defender mistakes. The increase of Linux ransomware is unsurprising, as criminal groups will always look for new ways to make a profit.

One area which may surprise Windows-centric security people is the prevalence of Rootkits in Linux attacks. Linux, being open-source and community-driven, does not have a unified, enforced driver signing policy like Windows. Instead, driver signing in Linux is more flexible and decentralized. While Linux supports signed drivers (and certain distributions or specific implementations may enforce or encourage signing to some degree), the kernel itself does not strictly require all drivers to be signed. This results in kernel-driver rootkits being much more common on Linux devices.

A report from Recorded Future in August 2023[3] highlights this and identifies how we are seeing a trend of Ransomware and vulnerable drivers/Rootkits merging to provide criminal actors with much greater flexibility in implanting malware. The Recorded Future report extends a July 2023 report published by DarkReading[4], discussing how this poses a significant risk for critical infrastructure.

3. Exploited Vulnerabilities

• Trend Micro highlights critical vulnerabilities, including CVE-2021-44228 (Apache Log4j) and CVE-2018-15473 (OpenSSH), pinpointing the reality that even core Linux services can contain vulnerabilities. This is also a good reminder that simply being open source, so many eyes can read the source code, doesn’t mean many eyes have actually read the source code.
• TechJury adds that outdated vulnerabilities remain a significant risk due to delayed patching. This is especially true with Linux systems, which are often faced with the double problem of being considered “low priority” by asset owners and running critical assets with low-downtime tolerances.

Although Linux is increasingly popular, the “Linux on the Desktop” goal is still a few years away. Today, most deployments are for servers and services. This means that a traditional phishing attack is unlikely to be effective for gaining access to a Linux environment (although credential theft is still common). Instead, most Linux attacks are actually service-side attacks, generally involving vulnerability exploitation.

4. Emerging Malware Tactics

• According to Trend Micro, advanced persistent threat (APT) groups are exploiting BPF filters for installing backdoors, presenting new challenges in malware detection.
• TechJury notes the adaptation of malware like RansomExx, highlighting the evolving tactics of cybercriminals targeting Linux servers.

The history of Cybersecurity has been one of a cat-and-mouse game with Threat Actors. As new attacks are developed and discovered, the defenders and incident responders change their behavior to mitigate the threat. This leads to the attackers evolving to avoid detection/mitigation. It is unlikely that we will see an end to this cycle in the near future. This constant struggle is exemplified by the recent changes to attacker behaviours, with the use of BPF filter exploits as a very good example. While it is impossible to predict the future, it does mean that anyone working in security has to spend a lot of time simply catching up with the changing trends and behavior.

Helping incident responders deal with the changing threat

One of SANS’s newest courses, FOR577: Linux Incident Response and Threat Hunting, is designed to address these evolving threats, providing cybersecurity professionals with the skills and knowledge needed in this challenging landscape. The course runs for six days and looks at the incident response steps needed to investigate a complex intrusion in a realistic Linux environment.

1. Investigating Webshells

FOR577: Linux Incident Response and Threat Hunting delves into manual web log analysis, teaching students to detect signs of webshell deployment and injection attacks, a critical skill in light of the threats highlighted by TechJury. During the course we look at ways to rapidly process weblogs and identify indicators and warnings pertaining to attacker activity.

2. Ransomware Detection and Response

When dealing with ransomware, rapid response is essential. The course emphasizes rapid evidence triage, aligning with the Trend Micro report's findings on the rise in ransomware. Students learn to identify attacks quickly and rapidly respond across the entire environment.

3. Investigating Server-Side Attacks

Given that the majority of attacks in Linux are service-side exploitation, FOR577: Linux Incident Response and Threat Hunting covers investigating services like SSH and FTP. This training is vital for preventing exploits and responding to breaches, as underscored by both reports.

4. Advanced Threat Analysis Techniques

FOR577: Linux Incident Response and Threat Hunting covers advanced techniques like creating timelines from filesystem data (also known as triage timelines) and supertimelines, where we include data extracted from individual artifacts as well. This methodical approach helps in understanding attacker behavior and uncovering hidden activities, effectively addressing the sophisticated threat vectors outlined in the reports. The filesystem timeline serves as a rapid assessment tool for recent activity, while the Supertimeline offers an in-depth, granular view of the events. This dual-timeline strategy enables cybersecurity professionals to efficiently pinpoint and analyse critical moments in an attack sequence, providing vital insights into both the broad patterns and intricate details of the intrusion.

5. Practical Application and Hands-On Learning

The course offers hands-on experience, allowing students to apply their learning to real-world scenarios. With over 20 hands-on labs and a complex capstone challenge, you will definitely get to spend time practicing the exact techniques you would use in a real incident.  This practical approach is crucial for understanding the nuances of Linux incident response in the context of the evolving threat landscape.

The course culminates in a capstone challenge, where teams investigate multiple devices to find an advanced attacker, gather evidence and then present their findings to the executives.

Summary

As the reports from TechJury and Trend Micro illustrate, the need for comprehensive Linux security knowledge has never been greater. The increase in malware threats, evolving attack methodologies, and exploited vulnerabilities all point to a critical need for up-to-date training and skills development in Linux cybersecurity.

FOR577: Linux Incident Response and Threat Hunting course's Role in Modern Cybersecurity

FOR577: Linux Incident Response and Threat Hunting course stands out as a key resource for cybersecurity professionals facing these challenges. The course's focus on practical skills, from detecting webshells to responding to ransomware and investigating compromised services, aligns perfectly with the current needs of the cybersecurity community. By providing an understanding of the threats and effective response strategies, the FOR577: Linux Incident Response and Threat Hunting course plays a pivotal role in preparing professionals to protect Linux environments against the increasingly sophisticated cyber threats.

[1] https://techjury.net/blog/list-of-linux-malware-and-threats/

[2] https://www.trendmicro.com/vinfo/ie/security/news/cybercrime-and-digital-threats/the-linux-threat-landscape-report

[3] https://go.recordedfuture.com/hubfs/cta-2023-0817.pdf

[4] https://www.darkreading.com/vulnerabilities-threats/linux-ransomware-poses-significant-threat-to-critical-infrastructure