Kaspersky says Linux systems are increasingly being targeted by hackers
Hackers are increasingly turning their attention to attacking Linux servers and workstations, according to security researchers from Kaspersky.
While it is Windows systems that have traditionally been in the cross-hairs of attackers, advanced persistent threats (APTs) are now a serious issue in the Linux world. Linux systems are being specifically targeted with an ever-widening selection of malware tools.
Although it is far from unknown for Linux malware to be spotted -- and there have been numerous notable examples from the likes of TwoSail Junk, Sofacy and Equation -- Kaspersky points out that despite the widely held impression that Linux system are rarely or never targeted, there are in fact many webshells, backdoors and rootkits designed specially for Linux.
One recent example is an updated version of the Penguin_x64 Linux backdoor from the Russian group Turla. Korean malware group Lazarus has also increased its Linux malware arsenal, with various tools being used in spying and financial attacks.
Yury Namestnikov, Kaspersky's head of Global Research and Analysis Team (GReAT) in Russia, says:
The trend of enhancing APT toolsets was identified by our experts many times in the past, and Linux-focused tools are no exception. Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems. We advise cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations.
The security company shares details of a number of steps that can be taken to help protect Linux systems from APTs:
Maintain a list of trusted software sources and avoid using unencrypted update channels
- Do not run binaries and scripts from untrusted sources. Widely advertised ways to install programs with commands like "curl https://install-url | sudo bash" pose a security nightmare
- Make sure your update procedure is effective and set up automatic security updates
- Spend time to set up your firewall properly: make sure it logs network activity, block all ports you don't use, and minimize your network footprint
- Use key-based SSH authentication and protect keys with passwords
- Use 2FA (two-factor authentication) and store sensitive keys on external token devices (e.g. Yubikey)
- Use an out-of-band network tap to independently monitor and analyze network communications of your Linux systems
- Maintain system executable file integrity and review configuration file changes regularly
- Be prepared for insider/physical attacks: use full disk encryption, trusted/safe boots and put tamper-evident security tape on your critical hardware
- Audit the system and check logs for indicators of attack
- Run penetration tests on your Linux setup
- Use a dedicated security solution with Linux protection such as Integrated Endpoint Security. This provides web and network protection to detect phishing, malicious web sites and network attacks as well as device control, allowing users to define rules for transferring data to other devices
- Kaspersky Hybrid Cloud Security allows protection for DevOps, enabling integration of security into CI/CD platforms and containers, and the scanning of images against supply-chain attacks