It was once hard to believe, but Linux users are now starting to understand that the malware-free experience they once had is quickly disappearing. And it’s a big wake-up call.
Over the last several years, there has been an alarming increase in malware, ransomware, and malicious code that targets Linux systems. In fact, a recent study found that Linux malware now accounts for greater than one-third of all malware. This means Linux users can no longer operate under the assumption that only Windows is at risk for these types of malicious attacks. Research also indicates that Linux systems attacks have tripled since 2016 and that attackers of various skill levels have identified opportunities to exploit Linux directly.
With this disturbing trend in mind, let’s take a look at why Linux attacks are occurring and what you can do to avoid them:
1) Assuming Linux Is Not a Target—And Doing Nothing
Hopefully by now, you are beyond complacency. But there are still many users who assume their Linux systems are fairly untouchable and choose inaction over readiness. Think for a moment of Java and other cross-platform solutions, which are designed to work on multiple platforms without modification. With the advent of Java based malware like HEUR: Backdoor, it no longer matters which operating system you’re using. This means they can also be executed on Linux systems and cause significant damage.
Though Windows threats may be more common, you can’t presume that Linux is more secure than Windows and subsequently conclude Linux is totally secure. Whether it’s outdated knowledge or a bias towards the OS, administrators may be totally unprepared to face the risks of their Linux systems.
2) Leaving Entry Points for Malware in Unpatched Services for Other Services
Content management systems like Drupal and WordPress have given end users powerful tools to manage websites and content, with newer modules and plugins making them even more useful. A large majority of these third-party tools hook directly into the most powerful permissions of your servers, including FTP write access. Unfortunately, some of these plugins are not always built well or securely, making these tools new entry points for attacks. This means simply patching web servers like Apache, nginx, or Varnish does not remedy the problem. You must stay ahead and beware of the weaknesses of the services running on top of other services to ensure you are not vulnerable and are completely protected.
3) Believing Linux Systems Do Not Pass Viruses and Malware to Other Systems
If you think it’s impossible that there are native viruses on your Linux machines, think again. Linux systems can be “resistant carriers” that can actually pass malware to vulnerable systems. If you believe your Linux machines cannot become a carrier for Windows malware, you’re wrong again. You need native OS virus tools, as well as signature files and behavior-based detection, to look for and remediate both types of threats, particularly threats that live in a Linux filesystem, which PC-based scan engines cannot detect.
4) Thinking Files on Other Platforms Cannot Be Encrypted and Locked for Ransomware
Whether it’s Windows, Mac, Linux, IBM i or AIX, files on any filesystem are vulnerable to malware. While Linux was never completely secure, today it is much less so. Unpatched software, like SSH and common services like Apache and FTP, increase vulnerability. While regular updates and patching lower risks, many people often see these critical tasks as optional and ignore notifications prompting them to do so. Many do this out of forgetfulness, while others fear potentially disrupting customized applications that rely on older versions. However, if updates are not performed out of concern for breaking an older app that may also be outdated and in need of updates, you should ask yourself if the costs of redeveloping an app outweigh the security risks.
5) Leaving Linux Filesystems Open and Vulnerable with Remote, Non-Native Scans
Because they look and behave like any other Windows share, Linux Samba shares may enable users to forget they are actually Linux. However, remote Windows antivirus tools have a number of problems. First, they invite permission vulnerabilities and do not fully scan for Linux-native malware. They may also fail with a network or power hiccup and tend to overtax a network if scanning large directories or big files.
To gain clarity into UNIX-specific threats, and to eliminate the inherent risks of running scans across a network, you should instead use a local, Linux-based scanning tool. Avoid the hassle of potential scanning failures and speed up scanning with native solutions that do not rely on network limitations. Since Linux-native tools are developed specifically for Linux, they use signature files and behavioral scanning designed to detect Linux-specific threats.
6) Making Network Traffic Vulnerable with Unencrypted Remote Shares
Relying on Windows tools to scan contents of Linux shares over a network can leave traffic exposed. Even if only your team has access, you should recognize that some of the largest hacks ever perpetrated were carried out by disgruntled employees seeking to do harm or insiders looking to gain financially. While you should not be overly paranoid, remember, you should keep the rule of least-privilege in mind and limit access to only those that need it.
7) Allowing the Scale of Your Operations to Keep You from Monitoring Everything
Whether on-premise or off, virtualization and containerization have made it easy to spin up new hosts across your entire infrastructure. However, this can be difficult to manage securely, especially if you have not automated or standardized deployments and patching. You should consider automation and a native-OS malware scanning tool that can scan Linux hosts systematically to keep you informed.
Remember, it takes only one vulnerable container with a few exposed ports for attackers to get into your network. While manually checking logs on a limited number of machines may work for the short-term, as the number of hosts grow, you cannot rely solely on human analysis.
If you have grown beyond just a handful of servers or appliances, you should consider tools like Ansible, Chef, and Puppet to advance your automation. Imagine how easy it would be to check for updates reliably or search for older versions of Apache on your systems at once with a few simple lines of code. Open-source versions of these and other tools are readily available and can enable you to keep updated with a documented trail to prove it.
8) Keeping Policies That Do Not Limit Remote Root and Power-User Access
When deploying Linux Samba shares or other connections between systems, verify that you have well-defined user and group policies that follow the least-privilege rule. This ensures that you do not create vulnerabilities by taking shortcuts on access. Make sure to invest time up front so you are not setting yourself up for attacks. And if you are moving data in the clear, even just across your LAN, don’t overlook the importance of encrypting that data. Establishing machine-level firewall rules and deploying certificates is not difficult, but these small measures truly do make your systems less vulnerable and prevent attacks.
9) Ignoring the Importance of Education for Users and Admins
Threats and attacks are frustrating to system administrators and IT practitioners because they take time away from valuable work. Rather than blaming admins or end users, it is more productive to develop a culture of vigilance that rewards users for recognizing threats rather than dismissing them. Ensure that you take time to educates employees on best practices and warning signs to reinforce the importance of watchfulness across your organization.
10) Choosing an Antivirus Solution Without Consideration
Not all antivirus solutions were created equal. As mentioned above, native antivirus for Linux is superior to a Windows based solution. But there are large differences between native antivirus tools that you need to take the time to research in order to make the right choice for your organization. For example, open source solutions may appeal to users upon first glance because they are advertised as free. However, maintenance and set up requirements are more complex and cost more time and effort from security teams. Other critical factors like ease of use, performance, detection rates, support, scalability, and centralized management should also be carefully considered before making a decision.
Lowering Your Vulnerability Starts Now
Linux has been so heavily relied upon as a reliable system capable of handling heavy duty tasks for enterprise servers. This is the very reason it has become a legitimate target for attackers. The data they store and the networks they support are so valuable, attackers have decided it is worth the time to invest in creating malware geared toward Linux. Rather than ignoring the reality of what is occurring today, make sure you take the simple steps to decrease your vulnerability and reduce your risk significantly. It will not just make your systems more secure, it will also make you more secure.