Its reputation for security means Linux is often thought to be less vulnerable to the kinds of threats that regularly plague Microsoft Windows systems. Much of that perceived security comes from the relatively low number of Linux systems, but are cybercriminals starting to see value in choosing quality over quantity?

The Linux Threat Landscape is Changing

Security researchers at companies such as Kaspersky and Blackberry, along with federal agencies like the FBI and NSA are warning about malware authors increasing their focus on Linux.

The OS is now recognized as a gateway to valuable data such as trade secrets, intellectual property, and personnel information. Linux servers can also be used as a staging point for infection of wider networks full of Windows, macOS, and Android devices.

Even if it’s not the OS running on your desktop or laptop, your data is likely to be exposed to Linux sooner or later. Your cloud storage, VPN, and email providers, as well as your employer, health insurer, government services, or university, are almost certainly running Linux as part of their networks, and chances are you own or will own a Linux-powered Internet Of Things (IoT) device now or in the future.

An FBI sign outside one of its offices

Multiple threats have been uncovered over the past 12 months. Some are known Windows malware ported to Linux, while others have been sitting undetected on servers for almost a decade, showing just how much security teams have under-estimated the risk.

Many systems administrators might assume their organization is not important enough to be a target. However, even if your network isn’t a big prize, your suppliers or clients might prove more tempting, and getting access to your system, via a phishing attack, for example, may be a first step to infiltrating theirs. So it's worth evaluating how you protect your system.

Linux Malware Discovered in 2020

malware-scams

Here’s our round-up of the threats that have been identified over the last year.

RansomEXX Trojan

Kaspersky researchers revealed in November that this Trojan had been ported to Linux as an executable. The victim is left with files encrypted with a 256-bit AES cipher and instructions on contacting the malware authors to recover their data.

The Windows version attacked some significant targets in 2020, including Konica Minolta, the Texas Department of Transport, and the Brazilian court system.

RansomEXX is specifically tailored to each victim, with the name of the organization included in both the encrypted file extension and the email address on the ransom note.

Gitpaste-12

Gitpaste-12 is a new worm that infects x86 servers and IoT devices running Linux. It gets its name from its use of GitHub and Pastebin to download code, and for its 12 attack methods.

The worm can disable AppArmor, SELinux, firewalls, and other defenses as well as install a cryptocurrency miner.

IPStorm

Known on Windows since May 2019, a new version of this botnet capable of attacking Linux was discovered in September. It disarms Linux’s out-of-memory killer to keep itself running and kills security processes that might stop it from working.

The Linux edition comes with extra capabilities such as using SSH to find targets, exploit Steam gaming services, and crawl pornographic websites to spoof clicks on advertisements.

It also has a taste for infecting Android devices connected via Android Debug Bridge (ADB).

Drovorub

The FBI and NSA highlighted this rootkit in a warning in August. It can evade administrators and anti-virus software, run root commands, and allow hackers to upload and download files. According to the two agencies, Drovorub is the work of Fancy Bear, a group of hackers who work for the Russian government.

The infection is hard to detect, but upgrading to at least the 3.7 kernel and blocking untrusted kernel modules should help avoid it.

Lucifer

The Lucifer malicious crypto mining and distributed denial of service bot first appeared on Windows in June and on Linux in August. Lucifer’s Linux incarnation allows HTTP-based DDoS attacks as well as over TCP, UCP, and ICMP.

Penquin_x64

This new strain of the Turla Penquin family of malware was revealed by researchers in May. It’s a backdoor that allows attackers to intercept network traffic and run commands without acquiring root.

Kaspersky found the exploit running on dozens of servers in the US and Europe in July.

Doki

Doki is a backdoor tool that mainly targets poorly-set up Docker servers to install crypto miners.

While malware usually contacts predetermined IP addresses or URLs to receive instructions, Doki’s creators have set up a dynamic system which uses the Dogecoin crypto blockchain API. This makes it difficult to take down the command infrastructure as the malware operators can change the control server with just one Dogecoin transaction.

To avoid Doki, you should ensure your Docker management interface is properly configured.

TrickBot

TrickBot is a banking Trojan, used for ransomware attacks and identity theft, which has also made the move from Windows to Linux. Anchor_DNS, one of the tools used by the group behind TrickBot, appeared in a Linux variation in July.

Anchor_Linux acts as a backdoor and is usually spread via zip files. The malware sets up a cron task and contacts a control server via DNS queries.

Related: How to Spot a Phishing Email

Tycoon

The Tycoon Trojan is usually spread as a compromised Java Runtime Environment inside a zip archive. Researchers discovered it in June running on both the Windows and Linux systems of small to medium-sized businesses as well as educational institutions. It encrypts files and demands ransom payments.

Cloud Snooper

This rootkit hijacks Netfilter to hide commands and data theft amongst normal web traffic to bypass firewalls.

First identified on the Amazon Web Services cloud in February, the system can be used to control malware on any server behind any firewall.

PowerGhost

Also in February, researchers at Trend Micro discovered PowerGhost had made the leap from Windows to Linux. This is a fileless cryptocurrency-miner that can slow your system and degrade hardware through increased wear and tear.

The Linux version can uninstall or kill anti-malware products and stays active using a cron task. It can install other malware, gain root access, and spread through networks using SSH.

FritzFrog

Since this peer-to-peer (P2P) botnet was first identified in January 2020, 20 more versions have been found. Victims include governments, universities, medical centers, and banks.

Fritzfrog is fileless malware, a type of threat that lives in RAM rather than on your hard drive and exploits vulnerabilities in existing software to do its work. Instead of servers, it uses P2P to send encrypted SSH communications to coordinate attacks across different machines, update itself, and ensure work is spread evenly throughout the network.

Although it is fileless Fritzfrog does create a backdoor using a public SSH key to allow access in the future. Login information for compromised machines is then saved across the network.

Strong passwords and public key authentication offer protection against this attack. Changing your SSH port or turning off SSH access if you’re not using it is also a good idea.

FinSpy

FinFisher sells FinSpy, associated with spying on journalists and activists, as an off-the-shelf surveillance solution for governments. Previously seen on Windows and Android, Amnesty International uncovered a Linux version of the malware in November 2019.

FinSpy allows the tapping of traffic, access to private data, and the recording of video and audio from infected devices.

It came to public awareness in 2011 when protestors found a contract for the purchase of FinSpy in the offices of the brutal Egyptian security service after the overthrow of President Mubarak.

Is it Time For Linux Users to Start Taking Security Seriously?

Steel doored bank vault

While Linux users may not be as vulnerable to as many security threats as Windows users, there is no doubt the value and volume of data held by Linux systems is making the platform more attractive to cybercriminals.

If the FBI and NSA are worried, then sole traders or small businesses running Linux should start paying more attention to security now if they want to avoid becoming collateral damage during future attacks on larger organizations.

Here are our tips for protecting yourself from the growing list of Linux malware:

  • Don’t run binaries or scripts from unknown sources.
  • Install security software such as antivirus programs and rootkit detectors.
  • Be careful when installing programs using commands like curl. Don’t run the command until you fully understand what it's going to do, start your command line research here.
  • Learn how to set up your firewall properly. It should log all network activity, block unused ports, and generally keep your exposure to the network to the minimum necessary.
  • Update your system regularly; set security updates to be installed automatically.
  • Make sure your updates are being sent over encrypted connections.
  • Enable a key-based authentication system for SSH and password to protect the keys.
  • Use two-factor authentication (2FA) and keep keys on external devices such as a Yubikey.
  • Check logs for evidence of attacks.