Stay Ahead With Linux Security Features
security advisory attack A Linux server gets cleaned up after an intrusion. The suspicious process is terminated, credentials are rotated, and the system is rebooted during maintenance. Everything seems secure. A few hours later, the same outbound connection appears again. . Situations like that point to persistence . The attacker no longer needs the original exploit because something on the host continues restoring access behind the scenes. Finding that mechanism is often more important than understanding how the...
Jun 08, 2026
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -3 articles for you...
102
security measuresmalwarephishingDISGOMOJI Spyware: Targeting Indian Government with Emoji Commands
DISGOMOJI malware represents an innovative development in cyber espionage tactics, particularly its refined approach to targeting government agencies in India. Originating from altering an open-source cybersecurity project previously known as discord-c2, its appearance reinforces an emerging trend of adapting and evolving existing tools into intricate cyberespionage campaigns.. DISGOMOJI's deployment is highly sophisticated. It employs Discord's widespread use to communicate command and control (C2) messages using emojis, effectively concealing malicious activities within seemingly innocent traffic and complicating efforts to detect and neutralize this threat. A recent analysis by cybersecurity firm Volexity reports that the DISGOMOJI malware appears to be targeting systems running the Linux distribution BOSS, which is widely utilized by Indian government entities. The attackers behind this initiative--identified by Pakistan-based threat actor UTA0137--is clearly intent on infiltrating and potentially breaching Indian government infrastructure. DISGOMOJI appears to gain entry through phishing attacks , an effective and common method for credential theft and malware delivery. What distinguishes DISGOMOJI is its persistent mechanism and use of emoji commands, like using a camera with the flash emoji to take screenshots or the Fox Emoji to zip all Firefox profiles on target devices. Such commands demonstrate its clever design and allow attackers to acquire sensitive data without leaving a trace on compromised systems. DISGOMOJI's open-source nature and adaptable design create a further risk; the malware can be adjusted and deployed against additional targets beyond India's government. Furthermore, its ability to bypass Discord's attempts at shutting down malicious servers by managing tokens to allow attackers to update client configuration easily demonstrates the difficulty of countering such an advanced threat. Additional Considerations The open-source nature of DISGOMOJI raises importantissues about the duality of publicly available cybersecurity tools and projects. While open-source projects provide great resources for research, education, and legitimate defensive purposes, they also serve as blueprints that could be modified maliciously. Linux administrators and cybersecurity professionals, particularly in industries vulnerable to being targeted by espionage-focused malware, should view DISGOMOJI as an illustration of cyberspace's ongoing arms race. This would emphasize the necessity for constant vigilance, education on emerging threat vectors, and implementation of multilayered security measures that detect and prevent such targeted threats. DISGOMOJI malware targeting Linux systems marks a striking change in cyber threats targeting these environments. While traditional malware relies on textual-based command and control (C2) mechanisms, DISGOMOJI's use of emoticons for command transmission through Discord is both novel and alarming - bypassing security systems designed to monitor more conventional indicators of compromise thereby creating new difficulties for detection and mitigation. How Does DISGOMOJI Compare with Other Linux Malware and Ransomware? To better assess this threat, it would be useful to compare DISGOMOJI against other significant malware threats like other significant Linux malware and ransomware such as DISGOMOJI that has appeared lately. When comparing them side-by-side, several aspects stand out: Method of Communication: Most Linux-targeting threats, like Ebury botnet, employ traditional botnet communication methods like IRC channels or HTTP-based C2 infrastructures for command and control (C2). But DISGOMOJI stands out by employing popular, legitimate services for C2, making its traffic harder to distinguish from benign communications. Targeting and Sophistication: Where Mirai uses brute-force attacks against IoT devices to create large botnets for DDoS purposes, DISGOMOJI appears more focused on espionage with targeted attacks against specificgovernment agencies - suggesting an even higher level of sophistication behind its operations that may include state actors. Stealth and Persistence: DISGOMOJI utilizes advanced stealth techniques, such as displaying a decoy PDF, to avoid detection while employing persistence mechanisms like cron jobs and XDG autostart entries, similar to those used by other sophisticated malware. This makes it more complex and more challenging for security analysts to detect and remove it, making it resistant to removal. How Concerned Should Linux and InfoSec Administrators Be? Linux and InfoSec administrators should view DISGOMOJI with great concern due to its unique C2 strategy, targeted nature, sophisticated deployment mechanisms, and sophisticated persistence mechanisms. Awareness and preparation can greatly reduce its threat; an understanding that Linux systems are susceptible to targeted attacks is paramount, so security posture adjustments must be made accordingly. mes Mitigation Strategies Administrators need to implement various mitigation strategies to protect themselves from threats such as DISGOMOJI: Enhance Monitoring and Detection : Employ advanced monitoring solutions capable of analyzing network traffic behavior and detecting anomalous patterns such as using legitimate services like Discord for potential C2 communications. Regular System and Patch Updates and Patching : Regular system and application updates help protect against vulnerabilities that could serve as entryways to infections, acting as initial infection vectors for hackers and cybercriminals. Phishing Awareness Training : Since DISGOMOJI utilizes phishing as the initial entryway into their network, training staff to identify and respond to any attempted phishing is an essential defense against infection. Segregation : By isolating critical networks and restricting access to essential services only, network segmentation helps contain any malware outbreaks should an infection arise. Application Whitelisting andRestricted Script Execution : Block any unapproved applications from running and restrict script execution capabilities to limit malware's ability to launch payload or establish persistence. Utilize Security Tools with Machine Learning Capabilities : For effective defense against new attack vectors, implement solutions that leverage machine learning for threat identification and blocking using behavioral analysis. This approach may be more successful in blocking threats with novel behaviors than traditional solutions. Improved Email Filtering : Email security measures must be strengthened with robust filtering rules to prevent phishing scams from succeeding. Discord Usage Policy : Organizations should implement policies to review and potentially restrict the use of Discord and similar platforms when necessary or monitor its usage on sensitive systems. Community Vigilance : As this open-source malware is spread widely through threat vectors, cybersecurity communities should remain vigilant in monitoring and sharing intelligence on variations of DISGOMOJI malware as a collective defense approach. While DISGOMOJI poses a substantial threat to Linux systems, increased awareness, advanced detection tools, and robust security practices can reduce its threat. . The ANIMALI malware employs groundbreaking methods to infiltrate IoT devices in corporations, using animal symbols to bypass security measures.. DISGOMOJI Malware, Linux Malware, Cyber Espionage Tools, Phishing Defense. . Dave Wreski
Jun 17, 2024
•
102
cyber espionageopen source securityLinux malwareDecade of RATs: BlackBerry Report on Linux Attacks and Threats
Just recently, LinuxSecurity published a feature article exploring the rise in attacks targeting Linux, their implications for Linux users, and the conclusions that can be drawn about the security of the operating system based on this disheartening trend. Now, yet another frightening attack campaign exploiting Linux has come to light. . In a new report , security researchers from BlackBerry reveal that Chinese state hackers have been successfully infiltrating critical Linux servers with little to no detection since 2012. The researchers identified a previously undocumented Linux malware toolset including two kernel-level rootkits and three backdoors. BlackBerry’s research has also linked this “decade of Chinese RATs” (remote access trojans - or programs that enable covert surveillance or provide threat actors with the ability to gain unauthorized access to a victim PC ) to one of the largest Linux botnets ever discovered, concluding that the campaign - which has impacted a significant number of organizations - has been “highly profitable” and “the duration of the infections is lengthy”. The cross-platform aspect of these attacks is also particularly concerning, given the security challenges that have arisen as a result of the sudden increase in remote workers due to the COVID-19 pandemic. The Re-Emergence of WINNTI TTPs: Who’s Responsible? BlackBerry is confident that these attacks can be attributed to five advanced persistent threat (APT) groups, which have displayed WINNTI -like tactics, techniques and procedures (TTPs) in their exploits. BlackBerry’s findings suggest the collaboration of these threat groups, given the distinct similarities in their TTPs. According to BlackBerry researchers, these TTPs target Red Hat Enterprise, Ubuntu and CentOS Linux environments, along with Windows systems and Android mobile devices, for cyber espionage and intellectual property theft “systematically across a wide array of industry verticals”. The Dark Side of Open Source BlackBerry’s recent report also reveals that China invests far more effort and resources in open-source development and collection than most other countries - and state-sponsored threat groups are reaping the benefits. Open-source software is attractive to cyber criminals because it enables them to capitalize on others’ work and innovation. There is also more plausible deniability due to the transparency of open-source code. Eric Cornelius, Chief Product Officer at BlackBerry, explains, "When people find it, they'll have a difficult time finding any attribution beyond open-source framework. When you custom develop software from the ground up, you put a lot of yourself into it which allows for meaningful attribution." How Serious is This Threat? Although Linux is becoming increasingly popular and mainstream due to the advantages it offers users including high levels of flexibility and security, the OS still holds a mere 1.71% of the global desktop operating system market share , compared to 77.1% for Windows. Initially - this may give the impression that attacks targeting Linux are relatively insignificant. What often gets overlooked is that Linux powers 75% of all web servers and major cloud service providers and 98% of the world’s most advanced supercomputers . BlackBerry’s report reinforces the importance of these persistent RAT infections by listing all of the organizations that use Linux, which include the US Department of Defense and most other US government agencies, Google, Amazon and Yahoo. Needless to say, the role that Linux - and the attacks against it - plays in most of our lives is pretty significant, whether we recognize it or not. Cornelius evaluates, "The machines running Linux are extraordinarily important devices but they are in the minority." Nevertheless, the security of Linux servers is a critical issue. The Deeper Meaning: Is Linux Secure? While it can be easy to jump to conclusions andblame the recent plethora of attacks targeting Linux on the OS as a whole, doing so is both unfair and largely inaccurate. Like any other OS, Linux needs constant maintenance and monitoring by experienced engineers in order to remain secure. In many cases, attacks on Linux servers can be attributed to administration issues and vulnerabilities in individual accounts, as opposed to flaws in the Linux operating system. LinuxSecurity Founder Dave Wreski explains, “Although it may be easy to blame the rise in attacks targeting Linux in recent years on security vulnerabilities in the operating system as a whole, this is simply not the truth. The majority of exploits on Linux systems can be attributed to misconfigured servers and poor administration. Proper setup and maintenance along with a layered approach to security is the key to preventing attacks.” Some experts argue that it is the popularity of Linux that makes it a target. Joe McManus, Director of Security at Canonical , explains: “Linux and, particularly Ubuntu, are incredibly secure systems but, that being said, it is their popularity that makes them a target.” Ian Thornton-Trump, a threat intelligence expert and the CISO at Cyjax , adds: “From an economic and mission perspective, it makes sense for a threat actor to invest in open-source skills for flexibility and the ability to target the systems where the good stuff is happening.” Despite the increasing number of threats targeting Linux systems, there is still a sound argument for the inherent security of Linux, which can be attributed to the core fundamentals of Open Source. Due to the transparency of open-source code and the constant scrutiny that this code undergoes by a vibrant global community, vulnerabilities are identified and remedied quicker than flaws that exist in the opaque source code of proprietary software and operating systems. Threat actors recognize this, and are still directing the majority of their attacks at proprietary operating systems. These attacks do; however, serve as a much-needed wakeup call for the security community that more needs to be done to protect Linux servers. BlackBerry’s report reveals that security solutions and defensive coverage available within Linux environments is “immature at best”. Endpoint protection, detection and response products are inadequately utilized by too many Linux users, and endpoint solutions available for Linux systems are often insufficient in combating advanced exploits. Cornelius evaluates: “Security products and services that support Linux, offerings that might detect and give us insight into a threat like this, are relatively lacking compared to other operating systems, and security research about APT use of Linux malware is also relatively sparse.” . Analysts disclose a prolonged breach affecting Linux infrastructures orchestrated by state-sponsored actors from China utilizing sophisticated malware.. Linux malware threats, open-source security risks, remote access trojans, cyber espionage tactics. . Brittany Day
Apr 15, 2020
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More