Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found 11 articles for you...
83
security advisorymalwarebreachUNC2891: Banking Heists with Linux Malware Exploiting Physical Access
UNC2891 has been working its way through gaps in ATM security and broader banking security by slipping small hardware implants into places most teams assume are locked down. Investigators found Raspberry Pi systems sitting near ATM transaction switches, quietly feeding access back to the operators while Linux tooling handled the heavier work inside the network. The group paired that access with cloned cards and a mule network that turned compromised infrastructure into predictable cashouts. . The whole operation shows how easily a determined crew can turn physical access and an overlooked embedded device into long-term leverage inside a financial environment that otherwise looks hardened on paper. How Did UNC2891 Breach ATM Security Using Hardware Implants and Linux Malware? Investigators traced the initial access point to a series of Raspberry Pi boards tucked into network paths that should never see unvetted hardware. Each device sat close to the ATM transaction switch, which gave the operators a clean line into systems that handle the core transaction flow. A small 4G modem handled the outbound channel, letting the attackers reach those boards without touching the bank’s perimeter or dealing with its change controls. Once inside, the group leaned on familiar Linux and Unix tooling. CAKETAP used CVE-2021-3156 to climb privileges on older hosts that had not fully cycled through patching. SLAPSTICK exploited CVE-2021-4034 through Polkit to reach the same goal on better-maintained systems. TINYSHELL kept things simple by giving the operators a lightweight remote shell that blended into normal process lists. None of these tools was complex, but they were quiet and reliable. The more interesting part came from the way UNC2891 relied on bind mounts to mask activity. By shifting sensitive paths into controlled views, they hid directories, logs, and even some of the tooling from routine inspections. It is the kind of trick that slips past teams that rely heavily on perimeter sensors andassume internal hosts are stable. With control of the transaction switch and the surrounding infrastructure, the group moved from reconnaissance to monetization. Cloned cards were produced using data from the compromised environment, and mule crews handled the withdrawals across several countries. The hardware implants and the Linux malware stack gave them a foothold that survived audits for years because nothing looked obviously broken in the banking security stack. Banking Security Risks and Real-World Campaign Activity By the time forensic teams pieced the campaign together, it was clear UNC2891 had been active far longer than anyone assumed. Several banks in Southeast Asia reported activity dating back to 2017 , which means the group operated through multiple hardware refresh cycles and at least one core-network redesign. That kind of persistence tells you the operators understood how ATM networks are built and where the weak seams sit between on-prem systems and switching infrastructure. The affected systems weren’t limited to the ATMs themselves. The intrusion paths stretched across Linux and Unix hosts that supported transaction processing, card-issuing systems, and internal monitoring pipelines. Those hosts were often segmented on paper, but still exposed enough shared services to give an attacker room to move once the hardware implant was in place. Physical access gave them the starting point, and host-level access filled in the rest. The financial losses tied to the cloned-card withdrawals added up quickly because the activity looked like routine consumer traffic at first glance. Mules cashed out across different ATM fleets and different regions, which made correlation harder until analysts started comparing timestamps and withdrawal patterns. It became clear that the issue wasn’t a single ATM model or a software defect. It was a structural weakness in how ATM security controls are layered inside modern banking environments. For many teams, the uncomfortable part of thiscase is how ordinary the attack chain was. Nothing about the malware or operational playbook would surprise anyone who has worked in incident response. The scale came from patience, physical access, and a banking security model that still assumes internal networks are trusted once you get past the branch perimeter. Strengthening ATM Security and Banking Security Controls Most of the recommendations that came out of this investigation were not new. What changed was the emphasis. Teams realized how much trust had accumulated around network closets, switch cabinets, and other places that rarely see routine inspection. Locking those areas down and tracking who enters them became just as important as patching a high-severity Linux bug. Once the Raspberry Pi boards were removed, several banks started logging physical access through the same lens they use for privileged account activity. Scanning for unauthorized hardware turned into a practical exercise instead of a theoretical one. Some teams added periodic sweeps of ATM network segments with simple inventory scripts, backed by NAC policies that flag devices with unexpected MAC prefixes or cellular interfaces. This isn’t glamorous work, but it closes the gap that allowed the 4G implants to sit unnoticed for so long. Segmentation reviews followed. Many banks had ATM networks separated on paper while still sharing authentication paths, update channels, or internal monitoring systems with the broader environment. Cleaning up those links took time, and in some cases, it required coordination with vendors who had quietly relied on those shared services. Once those pathways were clarified, the Linux privilege-escalation vulnerabilities used by CAKETAP and SLAPSTICK became less useful to an attacker. Operational teams also began monitoring for unusual bind-mount behavior. Bind mounts are common in container platforms and maintenance workflows, but they stand out on hosts that normally run a predictable set of banking applications. Alerting on thatactivity gave analysts something concrete to investigate instead of relying on signature-based detections. The last piece involved fraud teams. They rebuilt their processes for spotting mule behavior and repeated cloned-card withdrawals. Instead of monitoring only per-card anomalies, they began correlating ATM usage across regions and providers. This tied the operational side of banking security to the cash-out phase in a way that hadn’t been done before. Closing Thoughts: What This Means for Linux, ATM Security, and Modern Banking Security The UNC2891 case shows how much risk sits in the gaps between well-defended systems. The Linux hosts involved in this incident were not fragile or outdated. They were typical production machines running standard banking workloads, and they failed only because an attacker reached them through a path no one was watching. Once the hardware implant was in place, the group had time to learn the environment and adjust their tooling until it blended in. It also highlights how hybrid operations are becoming normal for financially motivated crews. They mix physical access, off-the-shelf hardware, and quiet Linux malware to build a foothold that lasts. This is less about zero-day exploits and more about understanding how real networks behave when they age. The longer the infrastructure remains unchanged, the more predictable it becomes to someone who has already found a way inside. For security teams, the insight is simple but uncomfortable. Strong perimeter controls and regular patching are not enough when the attacker starts from a position that bypasses both. Modern banking security depends on treating every layer, including the physical one, as part of the threat surface. That means monitoring embedded devices, verifying internal assumptions, and treating unexpected behavior on stable systems as a signal rather than noise. Finally, the case is a reminder that the people involved in these operations matter as much as the tooling. The cashouts only workedbecause mule networks were available and coordinated. Without that human layer, the malware and the Raspberry Pi hardware would have been interesting but unprofitable. Understanding how these mule networks operate helps teams see where technical controls stop being effective and where operational gaps begin. . Investigators reveal how UNC2891 exploited physical access and Linux malware to compromise bank security systems.. UNC2891, ATM Security, Linux Malware, Banking Breach, Physical Access. . Brittany Day
Nov 27, 2025
•
Hacks/Cracks
83
security advisoryattackbreachNordVPN Breach: Assessing Trust in VPN Security After Recent Attack
NordVPN suffered a breach nineteen months ago, which has only recently been disclosed to the public. VPN security in general is questionable. What VPNs do you use, and why should they be considered trustworthy? Learn more about the NordVPN breach in an interesting Schneier on Security article: . There was a successful attack against NordVPN.The breach happened nineteen months ago, but the company is only just disclosing it to the public. We don't know exactly what was stolen and how it affects VPN security. More details are needed. VPNs are a shadowy world. We use them to protect our Internet traffic when we're on a network we don't trust, but we're forced to trust the VPN instead. Recommendations are hard . NordVPN's website says that the company is based in Panama. Do we have any reason to trust it at all? The link for this article located at Schneier on Security is no longer available. . An alarming incident involving NordVPN has sparked concerns regarding the reliability of VPN services and their ability to safeguard online data.. NordVPN, VPN Security, Internet Traffic Protection, Data Breach, VPN Trust. . LinuxSecurity.com Team
Oct 28, 2019
•
Hacks/Cracks
82
security advisoryencryptionFBIRussia's 2010 Breach Of FBI Communications: Security Concerns Unveiled
Are you aware that Russia reportedly breached FBI communications starting in 2010? The Obama administration seized two US compounds in response. Learn more: . When the Obama administration kicked out Russian operatives and seized compounds, it might have been for more than their meddling in the 2016 presidential election. Unnamed officials talking to Yahoo News say that some of those diplomats were involved in a counterintelligence strategy that breached FBI communications starting in 2010. Reportedly, the Russians had "dramatically improved" their decryption of some secure comms technology, including the radios used by mobile surveillance teams and the push-to-talk cellphones used as backups. The Russians could track and intercept the chats between agents, though it's not clear if that was possible in real-time. The Russians could reportedly only crack "moderately encrypted" radio systems like those the FBI used, and not the strongest protections, but that was still worrying -- and it wasn't certain just how Russia compromised the systems. Some officials worried Russia might have a mole, but that wasn't clear. An anonymous CIA officer speaking to Yahoo News said that Russia had a habit of disguising human sources as technical attacks. They may have simply loitered in areas where they could listen in on conversations. The link for this article located at Engadget is no longer available. . China allegedly infiltrated CIA networks, sparking fears over intelligence protocols and counter-espionage tactics.. Russian Breach,FBI Communication Security,Counterintelligence Tactics. . Brittany Day
Sep 17, 2019
•
Government
83
security advisoryUbuntuaccount compromiseCanonical GitHub Breach: No Impact on Ubuntu Source Code
The GitHub account of Canonical Ltd., the company behind the Ubuntu Linux distribution, was hacked on Saturday, July 6. . "We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities," the Ubuntu security team said in a statement. "Canonical has removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected," it said. The link for this article located at ZDNet is no longer available. . The GitHub account of Canonical has been compromised. Fortunately, the source code for Ubuntu is secure, and there was no breach of personal identifiable information.. Canonical GitHub Breach, Ubuntu Security Update, Account Compromise. . LinuxSecurity.com Team
Jul 08, 2019
•
Hacks/Cracks
83
security advisorybreachdevice securityTexas Car Hacking Incident: Bluetooth Exploitation of Vehicle Systems
A disgruntled former employee of Texas Auto Center chose a creative way to get back at the Austin-based dealership: He hacked into the company's computers and remotely activated the vehicle-immobilization system, which triggered the horn and disabled the ignition system in more than 100 of the vehicles. . The dealership had installed the system in their cars as a way to deal with customers who fell behind on their payments. Police arrested the man and charged him with breach of computer security. His legal status was unclear as of our deadline for this story. . An ex-worker breached a California car dealership's network, triggering anti-theft features in more than 120 cars.. Car Hacking,Bluetooth Exploitation,Vehicle Security. . LinuxSecurity.com Team
Aug 06, 2012
•
Hacks/Cracks
83
security advisoryantivirusthreatTrend Micro Data Breach: Cybercriminals Allegedly Leverage Hidden Access
A hacker claims to have breached and backdoored security and antivirus software firm Trend Micro due to 'pseudo-security' as well as SYKES which runs support services for Trend Micro. According to Pastebin and a dump for 'proof' of the breach, the hacker claims to still be in control of a backdoor into the security firm.. . An anonymous individual alleges to have infiltrated and compromised security solutions provider Avast, citing superficial protections as the reason.. Trend Micro Breach,Cybersecurity Incident,Antivirus Security,Backdoor Threats. . LinuxSecurity.com Team
Jul 02, 2012
•
Hacks/Cracks
83
security advisorymalwarebreachuTorrent: Security Breach - Malware Forcing Fake Antivirus Download
The publisher of the uTorrent file-sharing program has admitted to suffering a major security breach that allowed attackers to substitute downloads of its client for malware pushing fake antivirus software.. Anyone who downloaded its uTorrent program between 4.20am Pacific time (12.20pm BST) and just after 6am on 13 September will have been downloading the Security Shield scareware program, which pesters the user to pay for protection against non-existent threats it claims to have detected. Originally, the company believed that both BitTorrent and the cut-down uTorrent clients had been affected, but a later clarification said that the former was not now thought to be involved. "Clarification: This only affects users who downloaded software specifically from utorrent.com between the hours above this morning. Users who previously downloaded our software are not affected," said a company blog. The link for this article located at CSO Online is no longer available. . Significant compromise enables malicious software to take control of BitTorrent downloads, promoting deceptive antivirus applications. Take immediate action if impacted!. uTorrent Breach, Malware Download, Fake Antivirus Protection. . LinuxSecurity.com Team
Sep 19, 2011
•
Hacks/Cracks
83
security advisorybreachcustomer dataBank Of America Account Breach: Major Compromise of Customer Data
Thousands of Bank of America customers' account information could be in jeopardy after a major security breach. Christy Clark went to a Royal Oak drug store Friday, but when her debit card was declined, she knew something was wrong. . She went straight to the Bank of America branch near 12 Mile Road near Woodward Avenue in Royal Oak to report the problem. When she arrived, she was surprised to see the lobby packed with customers who experienced the same issue. The link for this article located at Click On Detroit is no longer available. . Numerous Chase Bank accounts hacked following a major security incident at a nearby location in Birmingham.. Bank Of America Breach, Data Compromise, Customer Account Safety. . LinuxSecurity.com Team
Mar 28, 2011
•
Hacks/Cracks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More