Cybercriminals Target Linux-based Systems With Ransomware and Cryptojacking Attacks
VMware has released a report indicating that cybercriminals are increasingly targeting Linux-based multi-cloud environments with malware. Key findings reveal that ransomware is evolving to target Linux workloads, while 89% of cryptojacking attacks employ XMRig-related libraries. Additionally, over half of Cobalt Strike users may be using the tool illicitly. The report emphasizes the urgent need for organizations to enhance threat detection and adopt a Zero Trust approach to safeguard their infrastructures against these growing threats.
- Report highlights increased awareness of Linux-based security vulnerabilities.
- Identifies specific trends in cybercriminal behavior, aiding businesses in threat detection.
- Calls for proactive measures like the Zero Trust approach, potentially improving overall security posture.
- Over half of Cobalt Strike users may be employing the tool illicitly, indicating a widespread cybercrime issue.
- Ransomware evolving to target Linux-hosted workloads poses considerable risk to organizations.
- The focus on Windows-based threats leaves Linux environments vulnerable, heightening the risk for enterprises.
Today,
- Ransomware is evolving to target Linux host images used to spin workloads in virtualized environments;
- 89 percent of cryptojacking attacks use XMRig-related libraries; and
- More than half of Cobalt Strike users may be cybercriminals, or at least using Cobalt Strike illicitly.
“Cybercriminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible,” said
As malware targeting Linux-based operating systems increases in both volume and complexity amid a rapidly changing threat landscape, organizations must place a greater priority on threat detection. In this report, the VMware Threat Analysis Unit (TAU) analyzed the threats to Linux-based operating systems in multi-cloud environments: ransomware, cryptominers, and remote access tools.
Ransomware Targets the Cloud to Inflict Maximum Damage
As one of the leading breach causes for organizations, a successful ransomware attack on a cloud environment can have devastating consequences.(2) Ransomware attacks against cloud deployments are targeted, and are often combined with data exfiltration, implementing a double-extortion scheme that improves the odds of success. A new development shows that ransomware is evolving to target Linux host images used to spin workloads in virtualized environments. Attackers are now looking for the most valuable assets in cloud environments to inflict the maximum amount of damage to the target. Examples include the Defray777 ransomware family, which encrypted host images on ESXi servers, and the DarkSide ransomware family, which crippled Colonial Pipeline’s networks and caused a nationwide gasoline shortage in the
Cryptojacking Attacks Use XMRig to
Cybercriminals looking for an instant monetary reward often target cryptocurrencies using one of two approaches. Cybercriminals either include wallet-stealing functionality in malware or they monetize stolen CPU cycles to successfully mine cryptocurrencies in an attack called cryptojacking. Most cryptojacking attacks focus on mining the Monero currency (or XMR) and VMware TAU discovered that 89 percent of cryptominers used XMRig-related libraries. For this reason, when XMRig-specific libraries and modules in Linux binaries are identified, it is likely evidence of malicious cryptomining behavior. VMware TAU also observed that defense evasion is the most commonly used technique by cryptominers. Unfortunately, because cryptojacking attacks do not completely disrupt the operations of cloud environments like ransomware, they are much more difficult to detect.
Cobalt Strike Is Attackers’ Remote Access Tool of Choice
In order to gain control and persist within an environment, attackers look to install an implant on a compromised system that gives them partial control of the machine. Malware, webshells, and Remote Access Tools (RATs) can all be implants used by attackers in a compromised system to allow for remote access. One of the primary implants used by attackers is Cobalt Strike, a commercial penetration testing and red team tool, and its recent variant of Linux-based Vermilion Strike. Since Cobalt Strike is such a ubiquitous threat on Windows, the expansion out to the Linux-based operating system demonstrates the desire of threat actors to use readily available tools that target as many platforms as possible.
VMware TAU discovered more than 14,000 active Cobalt Strike Team Servers on the Internet between
“Since we conducted our analysis, even more ransomware families were observed gravitating to malware targeting Linux-based systems, with the potential for additional attacks that could leverage the Log4j vulnerabilities,” said
Download the full report here.
Methodology
The VMware Threat Analysis Unit (TAU) helps protect customers from cyberattacks through innovation and world-class research. TAU is composed of malware analysts, reverse engineers, threat hunters, data scientists, and intelligence analysts at
TAU applied a composition of static and dynamic techniques to characterize various families of malware observed on Linux-based systems based on a curated dataset of metadata associated with Linux binaries. All the samples in this dataset are public and therefore they can be easily accessed using VirusTotal or various websites of major Linux distributions. TAU collected more than 11,000 benign samples from several Linux distributions, namely, Ubuntu, Debian, Mint, Fedora, CentOS, and Kali. TAU then collected a dataset of samples for two classes of threats, namely ransomware and cryptominers. Finally, TAU collected a dataset of malicious ELF binaries from VirusTotal that were used as a test malicious dataset. TAU started collecting the dataset in
About
Sources & Citations
-
Exposing Malware in Linux-Based Multi-Cloud Environments,
VMware ,February 2022 -
Global Security Insights Report,
VMware ,June 2021
View source version on businesswire.com: https://www.businesswire.com/news/home/20220209005064/en/
ktuttle@vmware.com
(470) 247-1987
Source:
FAQ
What does VMware's latest report about Linux-based threats reveal?
What percentage of Cobalt Strike users are potentially cybercriminals according to VMware?
How are ransomware attacks evolving in relation to Linux-based systems?
What is XMRig and its significance in cryptojacking attacks?