Attacks on Linux Servers Rose 75% Over Last Year, Warn Security Researchers

"There's been a big rise in ransomware attacks targeting Linux," reports ZDNet, "as cyber criminals look to expand their options and exploit an operating system that is often overlooked when businesses think about security." According to analysis by cybersecurity researchers at Trend Micro, Linux servers are "increasingly coming under fire" from ransomware attacks, with detections up by 75% over the course of the last year as cyber criminals look to expand their attacks beyond Windows operating systems.

Linux powers important enterprise IT infrastructure including servers, which makes it an attractive target for ransomware gangs — particularly when a perceived lack of threat to Linux systems compared with Windows means that cybersecurity teams might choose to focus on defending Windows networks against cybercrime. Researchers note that ransomware groups are increasingly tailoring their attacks to focus specifically on Linux systems. For example, LockBit is one of the most prolific and successful ransomware operations of recent times and now offers the option of a Linux-based variant that is designed to target Linux systems and has been used to conduct attacks in the wild....

And it isn't just ransomware groups that are increasingly turning their attentions towards Linux — according to Trend Micro, there's been a 145% increase in Linux-based cryptocurrency-mining malware attacks, where cyber criminals secretly exploit the power of infected computers and servers to mine for cryptocurrency for themselves. One of the ways cyber criminals are compromising Linux systems is by exploiting unpatched vulnerabilities. According to the report, these flaws include CVE-2022-0847 — also known as Dirty Pipe — a bug that affects the Linux kernel from versions 5.8 and up, which attackers can use to escalate their privileges and run code. Researchers warn that this bug is "relatively easy to exploit".
The article recommends installing all security patches as soon as they're available — and implementing multi-factor authentication across your organization.

And yes, it's the real ZDNet. They've just re-designed their web site...

Wait, what?

[93 Escort Wagon]

"... as cyber criminals look to expand their options and exploit an operating system that is often overlooked when businesses think about security."

This has to have been written by someone who didn't realize until recently that anything other than Windows even existed.

Linux admins tend to obsess about security - some to an absurd extreme. So the only way I can see this being true is if a business' entire IT infrastructure is run exclusively by a bunch of Windows guys, and maybe that group spun up an Ubuntu server for kicks and then forgot about it.

Re:Wait, what?

[Gwala]

One word: Containers.

Containers let programmers deploy to production without sysadmins doing their usual lockdowns & secure version picking/patching.

This is the consequence.

Re:

[Z00L00K]

Time to consider OpenVMS x86 too.

Re:

[Anonymous Coward]

Containers let programmers deploy to production without sysadmins doing their usual lockdowns & secure version picking/patching.

Containers let programmers deploy to production with sysadmins doing their usual lockdowns & secure version picking/patching as well.

As always, it's down to the people and the decisions they make.

Containers are just another tool that can be used well and badly.

Use it well.

Re:Wait, what?

[drinkypoo]

The problem isn't containers, it's devops. I just issue this command and a bunch of things happen! And maybe they are even what I want!

Re:

[NoWayNoShapeNoForm]

The problem isn't containers, it's devops. I just issue this command and a bunch of things happen! And maybe they are even what I want!

THAT. Exactly that.

Re:

[Opportunist]

Well, no.

You can secure containers, and funny enough it is probably easier in large environments because patching the underlying template automatically updates everything above (if done right), but as anything it has to be done to work.

I think it has more to do with managers having been sold containers as the panacea for their security woes that are magically secure without any oversight needed, so there are no admins that would take care of that security.

Re:

[ZipNada]

According to the Trend Micro article it is misconfigured containers that are publicly exposed, which is a devops failure. "an attacker could abuse these nodes by installing and running malicious programs via the kubelet API".

Container event code

[Errol backfiring]

Also, the containers themselves are a risk. If you manage to take over one container, it is sometimes possible to inject "after stop" code which runs as root in the hypervisor. This only works in badly configured situations, but there are enough of those to be useful to hackers.

Containers!

[Qbertino]

Yeah, that fad is going on my nerves, epic style. We don't know what we're doing and we don't care but we want to play big so my decider gets his shiny-clicky buttons up and running so who gives a f*ck, we'll just use container-virstualisation.

Meanwhile 99% of problems would be solved with stable and resonably maintained LAMP setup and programmers who knew some basics about security. ... Not that that's likely to go mainstream either.

Re:

[bjhavard]

This has to have been written by someone who didn't realize until recently that anything other than Windows even existed.

It's ZDNet, what did you expect?

Re:

[Voyager529]

This has to have been written by someone who didn't realize until recently that anything other than Windows even existed.

It's ZDNet, what did you expect?

ZDNet has gone to crap over the past few years. In the 2000s, they were generally focused toward IT pros and managers, writing the sort of articles that assumed a reasonable level of understanding and reflecting some investigative journalism here and there.

Now, they're just another clickbait site. Scroll down the article feed and see how many "best X" articles there are. Others are "how to get photos off your iphone", or something similar that is targeting the most basic of the basic use cases.

Mary-Jo Foley

Re:

[gosso920]

FUD, to the nth degree.

Yup.

[Subsentient]

Been getting lots of concerning sshd and lighttpd logs more and more frequently lately. I've had them attack my personal desktops open to the WAN with a nonstandard port, too. Turn off password authentication in sshd, patch your systems religiously, and if your distro has something like SELinux, use it. SELinux is a pain in the ass even when you know the basics, but it's worth it. It makes a really big difference.

Re:

[Anonymouse Cowtard]

found the honeypot

Re:

[Z00L00K]

Setting iptables to limit number of connection attempts from an IP address and then drop that traffic can go a long way.

Re:Yup.

[Opportunist]

Limiting it to one attempt per second already did wonders. No human, and not even any benign automated processes I know, try to connect more than once a second.

Re:

[thegarbz]

Actually back when I first had issues with my server there were attempts even with heavy rate limits originating from the same IP. It wasn't until I setup fail2ban to automatically nuke those pesky IPs that they finally stopped. And even then some didn't stop when I setup a 1hour ban, 3 failed logins, 1 hour ban, the hour up and sure enough the same IP tries again.

It won't amount to much at the low rate of logon attempts, but don't underestimate the tenacity of a piece of automated code.

Re:

[Opportunist]

It's like watching WoW fishing-bots after you attack and disarm them, I know...

Re:

[Arnonyrnous Covvard]

The whole IPv4 internet is slow-scanned many times a day. Rate-limits only catch amateurs. Not to say rate-limits aren't worthwhile, because log-spam can be a problem, but they are not an actual defense against determined attackers.

Re:

[ls671]

I have also seen coordinated attacks on my IPs trying to brute force ssh access with 10,000 or more tries and each connection attempt was coming from a different IP address! Delay between each connection attempt could vary between 2 to 10 seconds so it wasn't a DDOS.

Re:

[markdavis]

>"I have also seen coordinated attacks on my IPs trying to brute force ssh access with 10,000 or more tries and each connection attempt was coming from a different IP address! Delay between each connection attempt could vary between 2 to 10 seconds so it wasn't a DDOS."

With a rate limiter than bans for X time after X attempts (for example 3 connections in 3 minutes bans the IP for 10 minutes) , there is no way a brute-force attack is going to work. If you run the math, one need many, many millions of at

Re:

[ufgrat]

fail2ban can go much farther.

Re:

[markdavis]

Been getting lots of concerning sshd and lighttpd logs more and more frequently lately. I've had them attack my personal desktops open to the WAN with a nonstandard port, too."

This is nothing new and has been going on forever (just a regular dictionary attack). They portscan every machine they find, so moving things to a different port doesn't really help much.

Really, very little on an important system should be exposed to the Internet as an incoming service. And if it is just ssh, you *MUST* install a ra

Re:

[whoever57]

They portscan every machine they find, so moving things to a different port doesn't really help much.

Moving SSH to a non-standard port used to be very effective at reducing the number of SSH login attempts, but recently (past year) I have noticed that, as you say, the non-standard parts are being attacked almost as much as the standard ports.

Re:

[Arnonyrnous Covvard]

It takes a while (read: hours to days) until someone finds a non-standard port, but then the scans quickly increase to the amount seen on a standard port. Non-standard ports aren't worth the trouble anymore. If you want to keep the existence of an open port secret from port scanners, use port knocking.

Re: The sooner we kick Russia off the Internet

[wierd_w]

Most of the suspicious/malicious things in my logs originate from IPs assigned to China, not Russia.

Re:

[Anonymous Coward]

It's both those countries, including Iran and yes, even the USA.

Re:

[Opportunist]

Well, while we're at kicking Russia off... I mean, you're already editing the tables, you can just add a few more addresses, can't you?

Re:

[stabiesoft]

That was true for me as well before ukraine. Now I see quite a bit of activity from russian ip's. I block all russian email and that too has seen an uptick in the logs. Before I rarely saw russian based email.Not saying china went anywhere, they still pop up with about the same frequency as forever.

Re:

[Anonymous Coward]

Here some statistical data about "attack traffic". https://www.govtech.com/securi... [govtech.com]

When it comes to absolute threat potential, it's China, then the US itself, then Turkey and then Russia.

Now there might be differences depending on where you live. Like if you lived in Russia, the likelihood to be attacked from within Russia is a lot lower.

So don't expect to see a greater dent in this if Russia was cut off the internet.

Re:

[Arnonyrnous Covvard]

I absolutely expect that kicking Russia off the internet would make a big dent in attack traffic. If you're only looking at the direct source of attacks, you're missing that these attacks are executed from compromised systems, not "home base". These attackers are in Russia, and if you kick them off the internet, their control of foreign systems wanes.

Re:

[Arnonyrnous Covvard]

Over the last year, which has seen Russia initiate a brutal war, attacks on Linux servers rose 75%. That's a statistic, isn't it. When Russia began attacking Ukraine earlier this year, there were cyber attacks on satellite internet providers. Control access to thousands of wind turbines in Europe was lost when Viasat's modems were wiped out by Russian malware. Russia is fighting this war in every way, and there is no shortage of Russian stooges standing by to deny it.

75% increase means nothing without numbers

[rossenm1970]

75% increase makes it look like it is a big problem. But without any idea about the actual number of compromised servers it means nothing.

Re:

[VeryFluffyBunny]

Maybe they just ran out of Windows servers to infect?

Small wonder

[nospam007]

It was the year of Linux on the server.

Re:

[Tablizer]

Year of Linux on the server...for hackers.

Linux defense = Swiss cheese

[bsdetector101]

Hackers will find any hole/opening.

Re:

[Tablizer]

perv

Re:

[bsdetector101]

lmao just the truth !

Detected...but they don't say successful. FUD?

[farrellj]

At first blush, the article seems to be saying that Linux systems are becoming more and more like Windows in terms of various types of malware. A careful reading of the well-crafted article will notice that they don't say "infections", it just says "attempts". To be more explicit, it says *attacks*, not "successful" attacks. The way the article is written would lead one to believe that Linux suffering more and more from ransomware and is just like Windows, but the reality is that although the number of attacks may be up, there is no indication that they are being *successful*. The article verges on being an example of fomenting "Fear Uncertainty Doubt", or FUD. I will not attribute nefarious intent when incompetence would adequately explain this article...but I do leave it up to the reader to decide how they judge it.

Re:

[markdavis]

>"The way the article is written would lead one to believe that Linux suffering more and more from ransomware and is just like Windows'

Well, of course. Welcome to modern journalism. Everything has to be misleading to sensationalize such that it will get people to read it.

It is, indeed, FUD. And it seems much of it is to push companies to buy commercial "malware detection" stuff.

That is not to say there aren't threats to Linux system security, and we shouldn't take them seriously, of course. But it wi

Re:

[whoever57]

This is what ZDNet has always been.

Re:

[thegarbz]

And yet it's not FUD. The past 10 years have shown quite clearly that open source doesn't make something magically bug free and if you compare the past 10 years to the 10 years preceding there definitely has been an uptick in *successful* attacks on Linux, including some prominent enough to make the news, and effective enough to take out some higher profile targets (e.g. Texas DoT).

The reality remains the overwhelming majority of successful attacks on any platform are permitted by the user, where the user i

We make $thing, you need $thing

[eneville]

No surprise that a malware/AV company wants to tell people to use their product on what looks like promising land from their point of view, if only you can convince the property owners to invest.

As others have mentioned though, most of this goes away with SELinux and limit dictionary attacks (fail2ban). At least fail2ban should stop disk fill attacks on /var/logs too :)

Re:

[Opportunist]

And now for those that think fail2ban is some mumble rap group...

You do know that the internet today doesn't require an IQ above room temperature anymore to connect a machine to a multi-megabit pipe. These people are the real problem, and for those, I'm glad that those companies exist.

Re:

[gosso920]

fail2ban ain't nothin' to fsck with!

Re:

[eneville]

You do know that the internet today doesn't require an IQ above room temperature anymore to connect a machine to a multi-megabit pipe. These people are the real problem, and for those, I'm glad that those companies exist.

For those companies Trend et al are insurance providers since they didn't invest in good staff to secure the infrastructure. They /hope/ that AV/anti-malware plugs the hole when it hits the fan.

Re:We make $thing, you need $thing

[markdavis]

>"And now for those that think fail2ban is some mumble rap group... You do know that the internet today doesn't require an IQ above room temperature anymore to connect a machine to a multi-megabit pipe. These people are the real problem,"

And I have been advocating that rate limiting/banning should be a STANDARD CONFIGURATION for Linux distros for many years. And it still hasn't happened.

One could argue that it should be included INSIDE sshd and turned on BY DEFAULT, since it is the one service most likely to be allowed through a firewall into Linux systems. Just a little bit of code to say "after X failed attempts in X seconds, disallow for X seconds" would do wonders. It would completely shut down any possibility of brute-force attack.

You don't even need something as complex as "fail2ban". A simple 3 line iptables rule in your firewall works almost as well, blocking for 60 seconds after 4 connections within a minute (and if they do connect again, it will reset the clock to another minute of banning): /sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH /sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "sshd_brute_force_block " /sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

This will not cause a DOS and will be just as effective against a massive attack from many machines. My home system runs sshd on a non-standard port and yet still has over 9000 brute force blocks per week. And that is the only incoming service allowed.

Re: We make $thing, you need $thing

[Big Hairy Gorilla]

Was going to mod up but couldn't decide between "insightful" and "funny".... +100% on the iptables comments ... also, there is something called "mumble rap?" ... chuckles all the way to google search on "mumble rap"...

Re:

[markdavis]

What part was funny? Slashdot turned my iptables lines into a paragraph, though. Annoying. Here it is with paragraph tags:

/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH

/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "sshd_brute_force_block "

/sbin/iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcoun

Re:

[drinkypoo]

That's cool when your attacker doesn't use a botnet.

Which is not to say that it's worthless, but since security still sucks, there are still botnets, and people can still simply buy access to them

Re:

[markdavis]

>"That's cool when your attacker doesn't use a botnet."

It is still effective, even with botnets. Math is on our side. It could take many, many millions of attempts to crack a single account. Even with a 10,000 machine botnet, each machine would only get a tiny number of trials before being locked out. And if they don't back off for long enough, they are locked out perpetually. It simply isn't enough attempts to matter, statistically. Of course, this does assume reasonable passwords (which is the de

Re:

[markdavis]

>"What you're asking might actually be considered harmful because it's a poor solution compared to what should actually be done."

It is an infinitely better solution than nothing at all, which is the default.

>"It also won't work well with IPv6, if the attacker has access to billions of IP blocks."

True. But, like most (many?), I don't have IPv6 enabled :) Of course, it will come.

>"If you truly need connect from anywhere, use a separate server with port knocking enabled."

I did list port knocking as

Finally, year of Linux Desktop has arrived

[JoeyRox]

/s

Rate of change of vulnerabilities by platform?

[david.emery]

Surely someone has plotted CERT advisories by platform/OS/target, and can look at trends there. I still insist the best way to address cybersecurity is not with add-on products and services, but with not having vulnerabilities in the first place.

But of course, noting that some platforms have fewer vulnerabilities (both in absolute numbers or in rate-of-finding-new-ones) does not prevent exploitation of those that have been found. So the next set of statistics should be some measure of how long vulnerabil

Re:

[mikechant]

Linux is a fancy toy

Found the (poor) troll. Linux runs the world. No, not the desktop, the world.

Re:

[drinkypoo]

Not just that, he thinks that proprietary software is somehow better.

Instead of a critical component being maintained by one guy on the internet, it just isn't maintained

Open source projects to stop server hacking

[mabu]

There are several new open source projects that we've been using to stop server attacks:

https://github.com/DPsystems/L... [github.com]

and

https://github.com/DPsystems/w... [github.com]

The use of these two utilities has stopped 90+% of all my attacks and system probes. It's basically a ipset ipv4 blacklist, works great as a companion to Fail2Ban and takes a ton of stress away from F2B by wholesale blocking certain address ranges (for example, should other server space that aren't authorized web crawlers be able to hit your web server

Re:

[WhatAreYouDoingHere]

(for example, should other server space that aren't authorized web crawlers be able to hit your web server? 99% of that is nefarious)

I haven't authorized *any* web crawlers. They are *all* nefarious.

Go away billg /s

[takionya]

Yet more anti Linux FUD from the Microsoft ZDNET.

Is this only only VM Ware?

[micheas]

The few advisories I've read show that the ransomware toolkits have been ported to exploit VMWare, but nothing else.

While this is a big issue, it also doesn't impact the majority of sysadmins as that level of abstraction is generally dealt with by AWS, Azure, and GCP admins.

From what I've seen in the advisories (And I may have missed some things) it has mostly made me skeptical of using VM Ware and would want lots of assurances before going down that route (like I had a staff of people who know how to lock