Kaspersky finds advanced persistent threat groups actively targeting Linux-based workstations and servers

Woburn, MA – September 10, 2020 – New Kaspersky research has found that a growing number of threat actors are executing targeted attacks against Linux-based devices and developing more Linux-focused tools. According to the researchers, diversification of threat actors’ arsenals with these tools enables them to conduct operations more effectively and with wider reach.

Many organizations choose Linux for strategically important servers and systems, partly because the operating system is thought to be safer from cyberthreats than the far more popular Windows operating system. While this is the case for mass malware attacks, it is not necessarily the case when it comes to advanced persistent threats (APTs).

Over the past eight years, over a dozen APT actors have been observed to use Linux malware or some Linux-based modules. These include such infamous threat groups as Barium, Sofacy, the Lamberts, and Equation, as well as more recent campaigns such as LightSpy by TwoSail Junk and WellMess.

There is a significant trend in many countries toward using Linux as a desktop environment by large enterprise companies, as well as in governmental entities. This has pushed threat actors to develop malware for the platform. The myth that Linux, being a less popular operating system, is unlikely to be targeted by malware, invites additional cybersecurity risks. While targeted attacks on Linux-based systems are still uncommon, there is certainly malware designed for them, including webshells, backdoors, rootkits and even custom-made exploits.

The small number of attacks is misleading, since the successful compromise of a server running Linux often leads to significant consequences. This can involve attackers not only being able to access the infected device, but also endpoints running Windows or macOS, thus providing wider access for attackers that might go unnoticed.

For instance, Turla, a prolific Russian-speaking group known for its covert exfiltration tactics, has significantly changed its toolset over the years, including the use of Linux backdoors. Reported earlier in the year, a new modification of the Penguin_x64 Linux backdoor has infected dozens of servers in Europe and the US, as recently as July 2020, according to Kaspersky telemetry.

Another example is Lazarus, a Korean-speaking APT group, which continues to diversify its toolset and develop non-Windows malware. Kaspersky recently reported on the multi-platform framework called MATA and, in June 2020, researchers analyzed new samples linked to the Lazarus “OperationAppleJeus” and “TangoDaiwbo” campaigns, used in financial and espionage attacks. The samples studied included Linux malware.

“The trend of enhancing APT toolsets was identified by our experts many times in the past, and Linux-focused tools are no exception,” said Yury Namestnikov, head of Kaspersky’s Global Research and Analysis Team (GReAT) in Russia. “Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems. We advise cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations.”

In order to avoid falling victim to a targeted attack on Linux by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

• Maintain a list of trusted software sources and avoid using unencrypted update channels
• Do not run binaries and scripts from untrusted sources. Widely advertised ways to install programs with commands like “curl https://install-url | sudo bash” pose a major security risk
• Make sure your update procedure is effective and that you set up automatic security updates
• Spend time to set up your firewall properly: make sure it logs network activity, block all ports you don't use, and minimize your network footprint
• Use key-based SSH authentication and protect keys with passwords
• Use 2FA (two-factor authentication) and store sensitive keys on external token devices (e.g. Yubikey)
• Use an out-of-band network tap to independently monitor and analyze network communications of your Linux systems
• Maintain system executable file integrity and review configuration file changes regularly
• Be prepared for insider/physical attacks: use full disk encryption, trusted/safe boots and put tamper-evident security tape on your critical hardware
• Audit the system and check logs for indicators of attack
• Run penetration tests on your Linux setup

Read the full overview of Linux APT attacks and a deeper explanation of the security recommendations on Securelist.com.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact
Sawyer Van Hor
sawyer.vanhorn@Kaspersky.com
(781) 503-1866