Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found 15 articles for you...
83
security strategiessecurity toolsservice disruptionApache2 Security: New Malware Threat Insights and Protection Strategies
Elastic researchers recently identified an advanced Linux malware campaign targeting Apache2 web servers, underscoring the need for sysadmins and cybersecurity specialists to be increasingly aware of the growing Linux malware threat. Constant vigilance in cybersecurity is necessary to guard systems from emerging attacks, especially as cyber threats continue to advance and become more challenging to detect. . In this article, we'll delve deeply into this recently identified malware, exploring its intricate inner workings and exploiting Apache2 web servers through infiltration and exploit. Furthermore, we'll examine its multidimensional impact, including degraded server performance, service disruption, and data loss. Knowing your vulnerability will enable more effective defense strategies against this campaign, and we'll explain who is at risk. Finally, we'll offer admins practical, actionable mitigation strategies to strengthen Apache2 web server security—from system updates and best practices to advanced security tools and user training. By adopting these strategies, you can more effectively protect your systems against current and future threats to ensure a resilient cybersecurity posture. Let's begin by closely examining this malware and how it works. Overview of This New Linux Malware & Its Operations This recently discovered Linux malware campaign involves attackers exploiting vulnerabilities in Apache2 web servers to leverage remote code execution (RCE) and path traversal flaws. This campaign has been classified as highly sophisticated due to its complex arsenal containing multiple types of malware, advanced persistence mechanisms, and various obfuscation techniques. The malware arsenal deployed by attackers includes various sophisticated components and techniques. KAIJI, explicitly used for Distributed Denial of Service attacks (DDoS), RUDEDEVIL as cryptocurrency miner malware, and custom malware tailored specifically for their operations have all been utilized by these criminals int heir attacks. Multiple mechanisms are employed to ensure persistence: GSocket masquerades as kernel processes for encrypted communications, Systemd services manage various services at boot time, while older SysVinit scripts initiate processes upon system boot-up. Bash profile modifications also modify user login processes to keep malware active over time. The attackers use several advanced techniques to maintain their presence, including manipulating SELinux policies to adjust security settings on Linux systems and using bind mounts as an obfuscation method to mask malicious files. They also exploit the CVE-2021-4034 (PwnKit) vulnerability for privilege escalation using tools like pspy64 for system reconnaissance and custom binaries named apache2 or apache2v86 with XOR encoded strings to avoid detection. Automated attacks use cron jobs, while attackers establish command and control (C2) channels using Telegram bots. How Does This Attack Work? At first, reconnaissance occurs when threat actors use tools like whatweb and sslscan to gather server information about potential targets. Once they identify an ideal victim, they exploit vulnerabilities to gain initial entry. If privilege escalation attempts fail, persistent users such as www-data are set up through encrypted connections using GSocket to maintain access and keep running undetected for extended periods. A cron job is then set up to download and execute a script named ifindyou every minute, using XMRIG, a popular cryptocurrency miner, to mine Bitcoin through the unmineable.com pool, using your hostname as identification in the mining process. Additionally, attackers use a Python script that interacts with online gambling APIs to simulate user activity and suggest potential money laundering schemes. What Is the Impact of This Threat & Who Is At Risk? Malware attacks can have far-reaching and catastrophic repercussions, with resource exploitation becoming an immediate risk to server performance and increased power usage, not tomention hardware components' potential wear and tear. Service disruption is another crucial issue where DDoS attacks can significantly impede availability. Data integrity and confidentiality are at risk, with malware potentially accessing sensitive data from compromised servers using communication channels like Telegram bots to exfiltrate it. Financial and reputational damage also pose substantial threats. Compromised servers could incur remediation costs, lost business revenue, and suffer service outages or data breaches that cause significant reputational harm to organizations. Since Apache2 web servers are so widely utilized, many entities are vulnerable. Enterprises of all sizes may be at risk due to outdated or unpatched Apache2 versions being used. Financial and e-commerce institutions that rely heavily on web services, web hosting providers with multiple client accounts hosted on shared infrastructure, and government and public sector organizations are also highly susceptible. Practical Mitigation Strategies for Securing Apache2 Web Servers Admins seeking to safeguard Apache2 web servers against sophisticated malware campaigns should employ several key mitigation strategies. Regularly updating and patching systems , including Apache2, is crucial. Implementing security best practices such as strong SELinux policies , disabling unnecessary modules and services to reduce the attack surface, and auditing server configurations and logs can all play an integral part in strengthening defenses. Enhancing authentication and access controls is another essential strategy. Administrators should use multi-factor authentication (MFA) and adhere to the least privilege (PoLP) principle when assigning user accounts and processes privileges. Deploying advanced security tools like intrusion detection systems (IDS) and intrusion prevention systems (IPS), endpoint detection response solutions, and web application firewalls can further boost security. Monitoring and analyzing network traffic is integralto detecting suspicious activities. Proper network segmentation must be implemented, with admins checking for suspicious connections outbound to unknown IPs. Maintaining regular copies of critical data backups and creating and testing an incident response plan is also essential and can ensure a swift recovery from incidents. Educating staff members on phishing and social engineering tactics, as well as developing and spreading security awareness through user training, can drastically decrease successful attacks on networks. Our Final Thoughts on Securing Your Web Servers Against This Malware This discovery of sophisticated Linux malware attacking Apache2 web servers illustrates the ever-evolving nature of cyber threats. Given its sophistication and capability, adopting an effective multi-layered security strategy is imperative to keeping your web servers safe from compromise and ensuring their resilience and security. Admins can significantly mitigate risk and strengthen server security by staying informed and following best practices. Due to the increasing frequency and sophistication of cyberattacks, continuous vigilance and proactive measures are essential in protecting vital digital infrastructure. . Investigate the emerging Linux malware risk aimed at Apache2 servers and implement proactive measures to bolster your cybersecurity defenses.. Linux Malware Threat, Apache2 Security, Cybersecurity Strategies, Malware Mitigation, Sysadmin Practices. . Brittany Day
Oct 03, 2024
•
Hacks/Cracks
83
cybercrimeopen sourcesecurity threatMalvertising Threat on Linux: Protecting Against Fake PuTTY Attacks
A malvertising campaign has been discovered that deploys a fake PuTTY client to deliver the Rhadamanthys stealer, a dangerous malware . The attackers exploit the trust placed in PuTTY as a widely used SSH and Telnet client by presenting a counterfeit website through malicious ads that appear at the top of Google search results. Let's examine this significant security threat targeting Linux admins more deeply, emphasizing the need for heightened vigilance and robust Linux security measures. . A Closer Look at This Malicious Campaign Malware loaders have assumed a central role in the cybercriminal ecosystem. These loaders infiltrate machines and deploy additional payloads while evading detection. The loader used in this campaign is particularly noteworthy for its use of the Go programming language and an innovative technique to deploy the Rhadamanthys stealer. This emphasizes the need for Linux admins and security practitioners to stay updated on emerging attack techniques and constantly improve their defense mechanisms to counter such threats. It is critical to highlight how unsuspecting users are directed to a domain controlled by the attackers, masquerading as PuTTY's homepage. From there, a two-step redirection process leads to downloading a malicious PuTTY executable. This executable initiates the downloading of the Rhadamanthys stealer, which, once executed, poses a significant threat by stealing sensitive information from the compromised system. What Are the Implications of This Threat? How Can I Secure My Systems? The implications of this malvertising campaign are severe for Linux administrators and the broader cybersecurity community. The attackers' ability to exploit the trust in widely used tools like PuTTY highlights the need for constant vigilance and scrutiny of sources. It prompts questions about the potential for similar attacks targeting other open-source software that forms the backbone of various operating systems. The use of the Go programming language for theloader is notable as it indicates cybercriminals' evolving sophistication. This poses a challenge for security practitioners who must stay updated on the latest programming languages and techniques attackers employ. Moreover, this threat raises concerns about the long-term consequences of such attacks. As malware and cybercrime evolve and adapt, security practitioners must remain proactive and agile in defending against emerging threats. This includes implementing robust monitoring and detection systems, regularly updating software and firmware, and educating users and administrators about the risks posed by malicious campaigns. The impact on Linux administrators and infosec professionals is profound. They are at the forefront of defending against such attacks and must be aware of the latest techniques employed by cybercriminals. This discovery serves as a reminder that even seemingly legitimate tools and websites can be compromised, underscoring the importance of scrutinizing domain names and sources. Our Final Thoughts on Securing Linux Systems Against Malvertising Campaigns This article highlights the evolving tactics employed by cybercriminals to exploit trust and infiltrate systems. Linux admins, infosec professionals, and sysadmins must stay informed, adapt their defenses, and emphasize the importance of user education to protect against these threats. The consequences of these attacks are far-reaching, making constant vigilance and proactive defense strategies vital to safeguarding critical systems and data. Stay safe out there, Linux admins! . A recent malvertising campaign exploiting PuTTY highlights the risks of popular software. Users should be vigilant, verify downloads, and strengthen security practices. Linux Security, Cybercrime Alert, Malware Defense, Open Source Threats, User Education. . Dave Wreski
Mar 25, 2024
•
Hacks/Cracks
74
security implicationsnetwork assessmenttelecom securityGTPDOOR Threat: Implications for Linux Telecom Security
A new Linux malware , GTPDOOR, specifically designed to target telecom networks connected to GPRS roaming exchanges (GRX), has emerged. This malware stands out because it utilizes the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications. . The implications of this discovery are significant for Linux admins, infosec professionals, internet security enthusiasts, and sysadmins who work with telecom networks. How Does GTPDOOR Malware Work? What Are the Security Implications for Linux Users? GTPDOOR is believed to be linked to the threat actor LightBasin. The malware disguises itself as syslog and opens a raw socket, enabling it to receive UDP messages and execute commands on infected machines. Furthermore, the malware can be probed covertly from an external network, eliciting a response that reveals if the destination port on the host is open or responding. The presence of GTPDOOR raises intriguing questions and concerns. As Linux admins and information security professionals, we must consider the potential long-term consequences of such malware targeting telecom networks. How can we effectively detect and mitigate this threat? Are current security measures in telecom networks sufficient to protect against advanced malware like GTPDOOR? Additionally, we need to explore the possibility of similar malware emerging that could exploit other protocols within the telecom infrastructure. The impact on security practitioners is significant. Their role in safeguarding telecom networks becomes even more crucial as sophisticated malware like GTPDOOR evolves. They must keep up with the latest security practices , including regularly patching and updating software , conducting network vulnerability assessments, and implementing robust intrusion detection and prevention systems. Additionally, security practitioners should collaborate with telecom providers to share threat intelligence and develop effective mitigation strategies. Our Final Thoughts on GTPDOOR Linux Malware Theemergence of GTPDOOR Linux malware targeting telecom networks through GPRS roaming networks raises serious concerns for security practitioners. Using GTP for command-and-control communications presents a new challenge for Linux admins, infosec professionals, internet security enthusiasts, and sysadmins. It is imperative to critically analyze the implications of such malware and take appropriate measures to protect telecom networks from long-term consequences. By staying proactive, collaborating, and continuously updating security practices, security practitioners can effectively combat the threat posed by GTPDOOR and other evolving malware in the future. . The rise of JXPKEY Windows trojans signifies a major risk to financial institutions, demanding immediate action from security teams.. Linux Malware,GTPDOOR,Telecom Security,Vulnerability Management. . Anthony Pell
Mar 04, 2024
•
Network Security
67
cyber threatsransomwarefile encryptionExploring Qilin Ransomware Attacks on VMware ESXi Hypervisor Systems
The Linux version of Qilin, a new ransomware strain that debuted in January, has been spotted in the wild. It's also one of the first ransomware families to target VMware ESXi. . Qilin targets users and organizations that run ESXi hypervisors. The malware encrypts files on connected USB devices with AES-256 encryption and a randomly generated RSA public key. It also creates an HTML file in each folder containing encrypted files containing instructions on paying the ransom and where to get decryption keys. The malware doesn't appear very sophisticated and is likely not targeting any specific industry or organization; it's just another opportunistic infection for any user connecting a USB device infected with Qilin to their machine. I found the article linked below very helpful in understanding the specifics of this attack, and I wanted to share it with you! . Qilin specializes in supporting users and organizations leveraging ESXi virtualization technologies, safeguarding information with the robustness of AES-256 encryption.. Qilin Ransomware, ESXi Hypervisor Security, AES-256 Encryption, Cyber Threats, Linux Malware. . LinuxSecurity.com Team
Dec 04, 2023
•
Cryptography
83
cyber threatlinux malwaresupply-chain attackLazarus Group Attack Linked To 3CX Supply Chain On Linux Systems
New cyber research connects the infamous North Korea-aligned Lazarus Group behind the Linux malware attack called Operation DreamJob to the 3CX supply-chain attack. . In the company’s April 20 Live Security cyber report, ESET researchers announced a connection between the Lazarus Group and expanded attacks now targeting the Linux OS. The attacks are part of a persistent and long-running activity tracked under the name Operation DreamJob that impacted supply chains, according to the ESET cybersecurity team. Lazarus Group uses social engineering techniques to compromise targets, with fake job offers as the lure. In this case, ESET researchers reconstructed the entire chain from the zip file that delivers a fake HSBC job offer as a decoy to the final payload. Researchers identified the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account. This is the first public mention of this major North Korea-aligned threat actor using Linux malware as part of this operation, according to ESET. This discovery helped the team confirm “with a high level of confidence” that the Lazarus Group conducted the recent 3CX supply-chain attack. Researchers suspected for some time that Korean state-sponsored attackers were involved in the ongoing DreamJob cyberattacks. This latest report corroborates that connection, according to the blog post. “This attack shows, in full color, how threat actors continue to expand their arsenal, targets, tactics, and reach to get around security controls and practices,” John Anthony Smith, CEO of infrastructure and cybersecurity services firm Conversant Group , told LinuxInsider. . Cybersecurity experts at ESET have uncovered links between the Lazarus group and the recent 3CX supply-chain breach affecting Linux platforms.. Lazarus Group, Linux Malware, Cybersecurity Threats, Supply Chain Security, ESET Research. . LinuxSecurity.com Team
Apr 27, 2023
•
Hacks/Cracks
83
remote accesslinux malwarecyberespionageAPT27: Iron Tiger's New SysUpdate Malware Targets Linux Systems
The APT27 hacking group, aka "Iron Tiger," has prepared a new Linux version of its SysUpdate custom remote access malware, allowing the Chinese cyberespionage group to target more services used in the enterprise. . According to a new report by Trend Micro , the hackers first tested the Linux version in July 2022. However, only in October 2022 did multiple payloads begin circulating in the wild. The new malware variant is written in C++ using the Asio library, and its functionality is very similar to Iron Tiger's Windows version of SysUpdate. The threat actor's interest in expanding the targeting scope to systems beyond Windows became evident last summer when SEKOIA and Trend Micro reported seeing APT27 targeting Linux and macOS systems using a new backdoor named "rshell." . Crimson Serpent, the APT29 threat actor, has unveiled a macOS edition of its DataHarvest malware aimed at commercial systems.. Linux Malware,Apt27,SysUpdate,Cyberespionage Tools,Remote Access. . LinuxSecurity.com Team
Mar 03, 2023
•
Hacks/Cracks
83
ddos attacksecurity reportlinux malwareAhnLab: New Linux Malware Mining Cryptocurrency and Launching DDoS Attacks
South Korean cybersecurity firm AhnLab Security Emergency Response Center said it has observed a new Linux malware in the wild that deploys a cryptocurrency miner on infiltrated systems using a shell script compiler downloader, reports The Hacker News. According to the report, a successful breach will be followed by execution of the shc downloader malware to fetch the XMRig cryptocurrency miner software and a Perl-based DDoS IRC Bot that allows the attacker to connect through a remote server and proceed to mount distributed denial-of-service attacks. . "It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. This bot supports not only DDoS attacks such as TCP flood, UDP flood, and HTTP flood, but various other features including command execution, reverse shell, port scanning, and log deletion," researchers said. The link for this article located at SC Media is no longer available. . Recent findings indicate a new strain of Linux malware that installs a cryptocurrency miner and initiates DDoS attacks following SSH compromises, preying on inadequately protected servers.. Linux Malware,Cryptocurrency Threat,DDoS Attack,SSH Security,AhnLab Report. . LinuxSecurity.com Team
Jan 15, 2023
•
Hacks/Cracks
83
security threatssh accessrootkitsNew Lightning Framework Exposes Linux To Rootkits and Backdoor Threats
A new and previously undetected malware dubbed 'Lightning Framework' targets Linux systems and can be used to backdoor infected devices using SSH and deploy multiple types of rootkits. . Described as a "Swiss Army Knife" in a report published today by Intezer, Lightning Framework is a modular malware that also comes with support for plugins. "The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration," Intezer security researcher Ryan Robinson said . . Tempest Suite is an emerging Linux malicious software that deploys rootkits and covert entry points, enabling unauthorized SSH connections for cybercriminals.. Linux Malware, Rootkit Threats, DDoS Backdoor, Lightning Framework, Open Source Security. . LinuxSecurity.com Team
Jul 21, 2022
•
Hacks/Cracks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More