Linux admins,

The APT36 cyber espionage hacking group has been around for decades, but we're seeing an industry-wide shift to Linux systems specifically being targeted this week with the ClickFix campaign. Unlike generic attacks, ClickFix leverages social engineering and disguises malicious payloads as legitimate applications or updates. The campaign prioritizes stealth over brute force, meaning it could be running on your system without your knowledge. How can you check?

For Linux security teams, it highlights the importance of advanced behavioral monitoring tools that can distinguish legitimate Linux processes from malicious behaviors. Read on to learn more about the misconceptions about Linux system security, defensive measures to mitigate ClickFix risks, and more you can do to protect your systems from these attacks.

I'll also break down the unsettling case with easyjson, a popular Go package for high-performance JSON serialization. While easyjson’s efficiency has made it a go-to dependency for projects like Kubernetes and Helm, the tool’s origins—and ongoing ties to Russia’s VK, a state-linked tech giant—raise serious security concerns.

Please share this newsletter with your friends to help them gain critical Linux security insights. Is there a Linux security-related topic you want to cover for our audience? We welcome contributions from passionate, insightful community members like you! 

Yours in Open Source,

Dv Signature Newsletter 2024 Esm W150

Dave Wreski

LinuxSecurity Founder

Emerging ClickFix Attacks Are Now Targeting Linux Systems

31.Lock DigitalRoom Esm W400

Imagine you’re sitting down at your desk, coffee in hand, ready to tackle the day, and you’re met with this: a new campaign, slyly dubbed “ClickFix,” is burrowing into Linux environments. It’s not some generic, scattershot attack; this is precise, calculated work by APT36, a group making waves with its knack for cyberespionage. Their usual playbook? Exploiting weaknesses while staying out of sight, they’re now focusing squarely on Linux systems. This isn’t just another line in the long list of threats—it’s the kind of escalation you’d rather hear about in a briefing than encounter firsthand.

So what makes this different? It’s not just that APT36 is expanding its scope; it’s how they do it. You know how these things go—if attackers want to disrupt or exfiltrate data, Linux is a goldmine, especially in environments that power enterprise systems or critical infrastructure. ClickFix feels like a wake-up call. It’s no longer about the easy wins; they’re proving they can go deeper, target smarter, and make life harder for admins who thought their systems were safe with the usual hardening measures. If you manage Linux systems, this isn’t the kind of noise you ignore—it’s time to dig in and take a closer look.

Learn About the ClickFix Threat>>

The Hidden Risks of Russian-Linked Open-Source Tool easyjson

32.Lock Code Circular Esm W400

Open-source tools are the backbone of countless systems, from cloud-native infrastructure to enterprise-level applications. But what happens when a widely used open-source library carries hidden risks?

This is the unsettling case with easyjson, a popular Go package for high-performance JSON serialization. While easyjson’s efficiency has made it a go-to dependency for projects like Kubernetes and Helm, the tool’s origins—and ongoing ties to Russia’s VK, a state-linked tech giant—raise serious security concerns. VK’s history of government collaboration and its sanctioned ownership has led Hunted Labs researchers to suggest that it could weaponize easyjson in ways that could compromise critical U.S. systems.

This presents an urgent challenge for us admins and open-source community members: safeguarding our organizations against potential supply chain threats, backdoors, and espionage risks. The good news? We can mitigate these risks by auditing dependencies, adopting alternative libraries, and staying engaged with the open-source security community working to combat these concerns.

Let’s examine how easyjson is used, why its ties to VK are cause for concern, and what steps you can take to mitigate these risks while continuing to rely on open-source tools.

Learn About the Hidden Risks of easyjson>>