Attackers Increasingly Target Linux in the Cloud

Linux is widely used in containerized environments, giving rise to significant attention from attackers.

4 Min Read
Source: kras99 via Adobe Stock

Linux has been the favored operating system of system administrators and hackers, but now the operating system has become a significant target of cybercriminals as well, with malware — such as Web shells and coin miners — running from Linux containers and about 200 different Linux vulnerabilities targeted in attacks.

That data, from security firm Trend Micro, underscores how containers have taken off and some of the most popular ones have a significant number of vulnerabilities. The official Python image, for example, has 482 vulnerabilities — 32 of them critical — while the official WordPress image has 402 vulnerabilities, 26 of them critical.

Companies need to ask themselves how they intend to secure their container infrastructure, says Aaron Ansari, vice president of cloud security at Trend Micro.

"If there are vulnerabilities, how are you going to patch them?" he says, adding that companies that do not have a quick time-to-patch need to take alternative steps. "That is when you need to have something to defend your systems — especially your critical ones. If it is a critical system, you need to find some way to secure it."

Driven by the widespread adoption of cloud, containerization, and infrastructure as code, Linux adoption has taken off. More than 77% of all websites run Unix, with the majority — and likely the vast majority — running Linux, according to Web technology survey firm W3Techs. Among Trend Micro customers, companies deploying containers and virtual servers into cloud infrastructure, 61% use Linux and 39% use Windows, the company said. Almost three-quarters of Linux installations use Red Hat Enterprise Linux, AWS Linux, Ubuntu, or CentOS.

Little wonder, then, that 95% of all security events detected by intrusion prevention systems (IPSs) targeted those operating systems, with 43% of attacks and probes aimed at Amazon Linux, 29% at Red Hat Enterprise Linux, 15% at various flavors of Ubuntu, and 8% at CentOS, according to Trend Micro data. The data represents events logged by 100,000 unique Linux hosts.

"Most of the applications and workloads exposed to the internet run applications, [with] web application attacks happen to be the most common attack vector in our telemetry," Trend Micro states in the report. "If launched successfully, web app attacks can allow hackers to execute arbitrary scripts, compromise secrets, or modify, extract, and even destroy data."

The data comes from Trend Micro's data lake combining the detections across all the company's products, augmented with additional data from honeypots, sensors, and other telemetry. The company logged 13 million events linked to malware, which mainly included Linux containers that had malicious code and either were downloaded by an attacker or mistakenly downloaded by a developer or operations teams. Coin miners, Web shells, and ransomware made up the majority of the malicious containers, accounting for 26%, 20%, and 12%, respectively, of the events logged by Trend Micro.

The company also analyzed the more than 50 million events of attempted exploitation, of which 40% targeted the Apache Struts Web application framework and 36% targeted the Netty client-server framework. The most common vulnerabilities are more than 3 years old, but companies are often slow to refresh their container infrastructure, says Ansari.

"Organizations that are using infrastructure as code, and they are deploying the same infrastructure across containers time and time again," he says. "Those environments are not based on the most up-to-date images. If you are putting out a CentOS kernel that you have used for the past two years, then the need to update those images ... is crucial."

Unfortunately, security operations teams are often short on staff and are slow to update container infrastructure, he says. Attackers are taking advantage of the failure to pay down security debt — about 20% of attacks are targeting the OWASP Top 10 vulnerabilities, while two simpler attacks, brute-force and directory-traversal attacks, are even more common, accounting for 59% of all attacks.

Companies need to make sure they have the staff, technology, and processes in place to keep containers up to date and have some runtime controls in place, Ansari says.

"If you boil it down to our major recommendations, we are asking three big questions: How secure are your images, can your images be trusted, and do you have the the proper identity and access?" he says. "A lot of companies do not have the same capabilities in the cloud as on-premises, and they need to be aware of that."

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights