Just recently, LinuxSecurity published a feature article exploring the rise in attacks targeting Linux, their implications for Linux users and the conclusions that can be drawn about the security of the operating system based on this disheartening trend. Now, yet another frightening attack campaign exploiting Linux has come to light. 

In a new report, security researchers from BlackBerry reveal that Chinese state hackers have been successfully infiltrating critical Linux servers with little to no detection since 2012. The researchers identified a previously undocumented Linux malware toolset including two kernel-level rootkits and three backdoors. BlackBerry’s research has also linked this “decade of Chinese RATs” (remote access trojans - or programs that enable covert surveillance or provide threat actors with the ability to gain unauthorized access to a victim PC) to one of the largest Linux botnets ever discovered, concluding that the campaign - which has impacted a significant number of organizations - has been “highly profitable” and “the duration of the infections is lengthy”. The cross-platform aspect of these attacks is also particularly concerning, given the security challenges that have arisen as a result of the sudden increase in remote workers due to the COVID-19 pandemic.


The Re-Emergence of WINNTI TTPs: Who’s Responsible?

BlackBerry is confident that these attacks can be attributed to five advanced persistent threat (APT) groups, which have displayed WINNTI-like tactics, techniques and procedures (TTPs) in their exploits. BlackBerry’s findings suggest the collaboration of these threat groups, given the distinct similarities in their TTPs. According to BlackBerry researchers, these TTPs target Red Hat Enterprise, Ubuntu and CentOS Linux environments, along with Windows systems and Android mobile devices, for cyber espionage and intellectual property theft “systematically across a wide array of industry verticals”.


The Dark Side of Open Source

BlackBerry’s recent report also reveals that China invests far more effort and resources in open-source development and collection than most other countries - and state-sponsored threat groups are reaping the benefits. Open-source software is attractive to cyber criminals because it enables them to capitalize on others’ work and innovation. There is also more plausible deniability due to the transparency of open-source code. Eric Cornelius, Chief Product Officer at BlackBerry, explains, "When people find it, they'll have a difficult time finding any attribution beyond open-source framework. When you custom develop software from the ground up, you put a lot of yourself into it which allows for meaningful attribution."


How Serious is This Threat?

Although Linux is becoming increasingly popular and mainstream due to the advantages it offers users including high levels of flexibility and security, the OS still holds a mere 1.71% of the global desktop operating system market share, compared to 77.1% for Windows. Initially - this may give the impression that attacks targeting Linux are relatively insignificant. What often gets overlooked is that Linux powers 75% of all web servers and major cloud service providers and 98% of the world’s most advanced supercomputers. BlackBerry’s report reinforces the importance of these persistent RAT infections by listing all of the organizations that use Linux, which include the US Department of Defense and most other US government agencies, Google, Amazon and Yahoo. Needless to say, the role that Linux - and the attacks against it - plays in most of our lives is pretty significant, whether we recognize it or not. Cornelius evaluates, "The machines running Linux are extraordinarily important devices but they are in the minority." Nevertheless, the security of Linux servers is a critical issue. 


The Deeper Meaning: Is Linux Secure?

While it can be easy to jump to conclusions and blame the recent plethora of attacks targeting Linux on the OS as a whole, doing so is both unfair and largely inaccurate. Like any other OS, Linux needs constant maintenance and monitoring by experienced engineers in order to remain secure. In many cases, attacks on Linux servers can be attributed to administration issues and vulnerabilities in individual accounts, as opposed to flaws in the Linux operating system. LinuxSecurity Founder Dave Wreski explains, “Although it may be easy to blame the rise in attacks targeting Linux in recent years on security vulnerabilities in the operating system as a whole, this is simply not the truth. The majority of exploits on Linux systems can be attributed to misconfigured servers and poor administration. Proper setup and maintenance along with a layered approach to security is the key to preventing attacks.”

Some experts argue that it is the popularity of Linux that makes it a target. Joe McManus, Director of Security at Canonical, explains: “Linux and, particularly Ubuntu, are incredibly secure systems but, that being said, it is their popularity that makes them a target.” Ian Thornton-Trump, a threat intelligence expert and the CISO at Cyjax, adds: “From an economic and mission perspective, it makes sense for a threat actor to invest in open-source skills for flexibility and the ability to target the systems where the good stuff is happening.”

Despite the increasing number of threats targeting Linux systems, there is still a sound argument for the inherent security of Linux, which can be attributed to the core fundamentals of Open Source. Due to the transparency of open-source code and the constant scrutiny that this code undergoes by a vibrant global community, vulnerabilities are identified and remedied quicker than flaws that exist in the opaque source code of proprietary software and operating systems. Threat actors recognize this, and are still directing the majority of their attacks at proprietary operating systems.

These attacks do; however, serve as a much-needed wakeup call for the security community that more needs to be done to protect Linux servers. BlackBerry’s report reveals that security solutions and defensive coverage available within Linux environments is “immature at best”. Endpoint protection, detection and response products are inadequately utilized by too many Linux users, and endpoint solutions available for Linux systems are often insufficient in combating advanced exploits. Cornelius evaluates: “Security products and services that support Linux, offerings that might detect and give us insight into a threat like this, are relatively lacking compared to other operating systems, and security research about APT use of Linux malware is also relatively sparse.”