Linux-based clouds an open door for attackers, says VMware

With its status as the most common cloud operating system cemented beyond all doubt, Linux has become a core part of organisational digital infrastructure around the world, but it is also opening up new avenues of attack for malicious actors, and the security industry needs to hurry up and get wise to this.

That is according to a newly published report from VMware’s Threat Analysis Unit (TAU) which details how malicious actors are using malware to target Linux-based operating systems. In the report, Exposing malware in Linux-based multicloud environments, it showed how current countermeasures are still heavily focused on addressing Windows-based threats, with the ultimate effect that many public and private cloud deployments are left vulnerable to attacks that would otherwise be easy to stop.

“Cyber criminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximise their impact with as little effort as possible,” said Giovanni Vigna, senior director of threat intelligence at VMware.

“Rather than infecting an endpoint and then navigating to a higher-value target, cyber criminals have discovered that compromising a single server can deliver the massive payoff and access they’re looking for. Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data.

“Unfortunately, current malwares are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks on Linux-based operating systems.”

In compiling its report, the TAU analysed the biggest threats to Linux OSes in multicloud environments – ransomware, cryptominers and remote access tools.

Successful ransomware attacks in cloud environments can be particularly devastating, especially when combined with double- and now triple-extortion techniques, said VMware.

The report revealed evidence of new developments in Linux-based ransomwares, which are now able to target the host images used to spin workloads in virtualised environments. Examples of these include the DarkSide ransomware family and Defray777, which encrypts host images on ESXi servers.

VMware said this was a clear sign that attackers have figured out they need to hit more valuable assets within a cloud environment.

Cryptomining might reasonably be considered a less impactful threat to cloud environments than ransomware, and it is certainly true that it does not completely disrupt cloud environments in the same way – and so can be harder to detect.

This is something malicious actors can use to their advantage, targeting a quick reward with one of two approaches – they will generally either include crypto wallet-stealing functionality in malware, or monetise stolen CPU cycles to mine cryptocurrencies, mostly focused on Monero (XMR).

VMware said 89% of cryptominers use XMRig-related libraries, so if such libraries or modules are identified in Linux binaries, it can generally be taken as evidence that an environment has been hijacked.