Does Linux need protecting?

News reports of Linux threats have been increasingly frequent lately. Here’s what you can do about it.

Until recently, large swaths of the IT community were convinced that Linux machines didn’t need protection — that the system’s architecture, being intrinsically near invulnerable, held no interest for attackers, and the very ideology of open-source code served as a kind of guarantee against unexpected, serious vulnerabilities. In recent years, however, even hardheaded infosec officers have come to realize such statements have little basis in fact.

Threats to Linux servers

As long as cybercrime was focused solely on making money at end users’ expense, Linux servers were indeed relatively safe. But modern cybercriminals set their sights on business, with its greater potential for much bigger payouts, long ago. And that is where the various Linux builds have come under serious scrutiny. After all, a server is of strategic interest to any attacker regardless of purpose, be it espionage, sabotage, or ordinary ransomware distribution. You don’t have to look far or wide for examples.

  • Last November, our experts found a modification of the RansomEXX Trojan that could encrypt data on Linux machines. Tailored for targeted attacks on specific organizations (the code and ransom note are customized for each new target), the Trojan was already in use at the time of discovery.
  • DarkRadiation ransomware, detected this summer, is purpose-built for attacks on Red Hat/CentOS and Debian Linux, and it can stop all Docker containers on affected machines. The malware is written entirely in a Bash script, and it uses a Telegram messenger API to communicate with C&C servers.
  • Almost every modern APT group has backdoors, rootkits, or exploit code for Linux. Our Global Research & Analysis Team (GReAT) published a study of the latest APT tools targeting Linux machines.

Although the open-source community carefully studies distributions, collectively discusses vulnerabilities, and releases information about them responsibly (most of the time), administrators don’t always update their Linux servers. Many still figure, “if it ain’t broke, don’t fix it.”

That philosophy prevails despite some vulnerabilities being quite serious. For example, cybercriminals can use CVE-2021-3560, found in the polkit system service (installed by default in many Linux distributions) and published in June of 2021, for privilege escalation. The vulnerability received a score of 7.8 out of 10 on the CVSS v3 scale.

How to secure Linux servers

Kaspersky Endpoint Security for Linux has long protected users from such problems. However, with the rising number of attacks on servers running on Linux, we decided to update our solution with a number of new technologies.

First, the solution now features full Application Control (a technology for running only those applications in the trusted list, or blocking those in the untrusted list). To help users configure this module, we added features to inventory executable programs and define custom categories. That ensures highly effective protection against a very wide range of threats. Second, the time had come to strengthen the system’s antiransomware capability (malware of this type is now detected by its behavior).

We are also aware that a significant share of Linux machines are cloud servers, not physical machines running in clients’ offices. Moreover, thanks to the development of containerization technologies, it is now possible to run applications in containers, enabling admins to solve scalability issues, increasing application stability, and improving computing resource efficiency. Therefore, we focused on scenarios for deploying the solution in public clouds and protecting containerization platforms (Docker, Podman, Cri-O, and Runc). Those apply to both threat detection mode for launched containers, enabling techs to identify particular containers containing threats and specifying paths to malicious files (in a runtime environment), and as a service for checking container images on demand (both local and located in repositories). In the latter scenario, it is possible to launch Kaspersky Endpoint Security for Linux inside a Docker container and use it to scan other containers for threats using the RESTful API, which serves to automate the tasks of scanning container images, for example, in the CI/CD pipeline.

Users now have more than one option for managing the protection of servers and container loads in public clouds such as Microsoft Azure, AWS, Google Cloud, and Yandex Cloud. The first is through the console, whether in an in-house data center or in a public cloud. The second is through the Kaspersky Security Center Cloud Console, deployed and supported by us, leaving the administrator free to focus on managing the protection of their infrastructure.

Kaspersky Endpoint Security for Linux is part of the Kaspersky Hybrid Cloud solutions suite. It integrates with the Kaspersky Managed Detection and Response service, which handles the particularly dangerous cyberthreats that can bypass automatic barriers.