Ransomware gangs are renowned for infighting. They squabble, they attack each other; they form alliances and desert them just as quickly. The results of this internecine conflict are often fruitful for cybersecurity researchers: take, for example, the leaking of malware code from Babuk, hacked in 2021 by cybercriminals disgruntled at being cheated by the notorious ransomware gang. The code was subsequently deployed by 10 additional ransomware gangs to garget VMware and ESXI servers, and spawned a string of variants that researchers have been busily patching ever since.
What was interesting about this particular family of malware, however, was that it targeted the Linux operating system – a fast favourite of developers involved in building virtual machines in cloud-based web systems, web hosting for live websites or IoT devices. Its use has spiked in recent years, with an estimated 14 million internet-facing devices running on Linux on any given day, in addition to 46.5% of the top million websites by traffic and a whopping 71.8% of IoT devices.
That’s great news for advocates of open-source software development, for which Linux has always been an example of what can be achieved when coding communities collaborate unencumbered by anything as vile as a corporate culture or a profit motive. It’s also thoroughly frightening for some cybersecurity experts. Not only is there a marked lack of ongoing research into the security of Linux-based systems as opposed to those based off more mainstream operating systems, but also no formal, overarching system for patching the vulnerabilities in this OS. Instead, as befits an open-source creation, ‘flavours’ of Linux are patched on an ad-hoc basis by developers with time and intellect to spare – a precious resource amid a veritable tsunami of cybercrime. Attackers are starting to notice. Last year, AtlasVPN found that over 1.9 million new malware threats had been detected – a year-on-year increase of 50%.
It wasn’t always this way. Bharat Mistry remembers when hackers were more concerned with hacking open old Windows systems. “I think the reason why cybercriminals stayed away was because they thought the popularity wasn’t there,” says Trend Micro’s technical director for the UK and Ireland. Imbued with lower automatic access rights and other features intended to obstruct the easy movement of malware, Linux also had a reputation for being secure by design. “But over the last six years, certainly with cloud usage, it’s [usage has] exponentially grown,” says Mistry, thereby increasing its number of potential vulnerabilities. “It’s used for everything.”
That’s largely because it’s a cheap and cheerful alternative to the mainstream OS brands, explains Mistry, with many different flavours of unlicensed Linux available. “When you look at things like web servers that are hosted in the cloud, [why] should I pay for a Windows licence?” says Mistry, speaking from the vantage point of a wily, money-conscious startup. A Linux alternative is “cheap as chips and does what I want it to do. I can put Apache on there… and get the performance that I want without the additional cost that goes with it.”
Unfortunately, if an OS is built and maintained according to the principles of open source, that means that the hackers intent on suborning it for their own ends don’t have to guess where the vulnerabilities in the system are, but instead can simply source them on GitHub and similar software forums. For his part, Ensar Seker is worried about the implications this has for the use of virtual machines (VMs) in the cloud. Invariably housing valuable corporate secrets, “virtual machines often lack the same level of security monitoring as physical systems, making it easier for attackers to go undetected for a longer period of time,” explains the chief information security officer at digital risk protection platform SOCRadar.
VMs are especially common within the financial sector. “Consider personal banking apps,” says Mistry, most of which are connected to a cloud service. “Chances are that it’s going to be a Linux-based web server that’s taking the requests.”
The fact that an overwhelming majority of the software on IoT devices is based on Linux should also be a cause of concern, adds the analyst, especially given the level of growth predicted for the smart device market over the coming decade. More ominously, adds Mistry, “we’re seeing Linux being used more and more in critical systems,” given how easy it is to fork and tailor variants of the OS to suit niche tasks compared to its mainstream competitors.
Unsurprisingly, given hackers’ access to the OS’s source code, the malware designed to crack open open-source versions of these systems is often written to a higher standard than its Windows-targeting equivalents. It’s also proving popular among a diverse crowd of cybercriminal gangs. The four separate arms of Tilted Temple, a Chinese hacking syndicate, have all used Linux-based malware to burrow into critical national infrastructure on three continents. Other big hitters in the cybercriminal underworld, including Black Basta, Lockbit and Hive have all been recorded as having infiltrated online infrastructure using targeted Linux-chomping ransomware. Another such gang, RTM, has also been identified as trading in malicious, Linux-targeting malware on dark web forums.
It’s an open question as to how prepared cybersecurity vendors are for this new threat. After all, until fairly recently, these firms found themselves spending much more time patching vulnerabilities in more mainstream operating systems. Far fewer have taken the time to investigate just how vulnerable Linux systems can be to hacking – a missed opportunity, says Mistry. “Everyone’s been so focused on Windows over the last few years because it’s been the predominant operating system all enterprises use,” he says. “But, in the background, Linux has always been there.”
Mistry doesn’t expect the current surge in Linux attacks to slow any time soon. It’ll be a while, he argues, before users and developers get wise to the risks and change their behaviour. “The vulnerabilities that are there on Linux platforms are huge,” adds Mistry. “There’s no one actively out there controlling the vulnerabilities and patching them day in, day out.”
Does this mean that its open-source framework is directly contributing to Linux’s lack of security? Indisputably less, argues Mistry. “You’ve got the openness, you’ve got the mass flexibility – the problem is when it comes to support,” explains Mistry.
Ultimately, those companies building new software on Linux should educate themselves on the trade-offs involved in using the OS. The communities of developers tweaking and patching this flavour of Linux or that have “got people that will do things, but there’s no kind of set body to say, ‘This is the kind of direction we’re going [in.],” says Mistry, let alone any in-built regime setting security standards. As such, adds the TrendMicro analyst, companies would be wise to implement their own regime, or create a viable audit trail for products built on some of the more outre flavours of Linux.
Might the days of Linux as a popular OS option be numbered, then? Probably not in the short-term, and many cybersecurity vendors are beginning to switch on to the threat posed to Linux-based systems, says Mistry. Even so, argues Seker, each new security incident involving Linux-targeting malware only serves to chip away at its reputation as an affordable, secure and open-source alternative to the monolithic Windows and iOS. “Even a single high-profile incident can change a perception quickly if the security community doesn’t respond promptly and effectively to the threats,” he says.
The recent spate of incidents involving Linux, combined with inherent drawbacks associated with its open-source heritage, has convinced Seker that it’s no longer possible to describe the OS as inherently safe and secure. “We cannot say that anymore,” he argues. “We know that it’s very vulnerable.”