Forget about 2023 turning into "The Year of the Linux Desktop," a popular slogan about growing Linux OS usage. It's already shaping up to be the year of the Linux malware takeover.
Linux Malware and Linux Monitoring
Linux has become an even more attractive target for cyber-crooks in that the computing platform's potential return on their "investment." Widespread security measures target only Windows-based threats and leave Linux, especially in a private cloud implementation, perilously vulnerable to yet another wave of ransomware attacks.
This tide of attacks on Linux systems by malware continues to grow worse. Linux boasts being among the most secure operating systems out there. That does not make it immune to user stupidity and enterprise malfeasance, however.
A study published in January by Atlas VPN states new Linux malware threats have reached a record amount in 2022. The then-50 percent increase took the attack level up to 1.9 million infections. More recent malware attack monitoring reveals the situation is not getting any better.
Malware targeting Linux will now proliferate as Linux-based devices and servers multiply. The very same potential security breaches which have thereby challenged Microsoft Windows and MacOS will now weigh on Linux systems. Even made-from-Linux ChromeOS - that powers Chromebooks used in schools and enterprises worldwide - has no built-in immunity to browser- and email-based infiltration.
Attacks against Linux users aren't new. The level of attacks increased and then decreased based on a number of factors over the last couple of years. Research indicates that malware on all computing platforms except for Linux is decreasing.
This, according to Joao Correia, technical evangelist for TuxCare, the automated patching service for Linux, is what drives the focus cybercriminals place nowadays on Linux in business and industry. And as he watched this trend evolve, the rise of Linux malware attacks and along with it, Linux users, he said, posed a challenge to both business and personal computing.
Earlier consensus has become untenable, he said, where attacks on Linux only targeted servers. Instead, all Linux users are in the crosshairs, he warned.
"It's all about the data. We changed how we value data," Correia told LinuxInsider. "Today, data is much more valuable because we can use it to feed artificial intelligence."
Defective Killer Factors
In this regard, the lack of enterprise IT circles ability to mount patches regularly and time allows entry for Linux system intrusions. The innate financial payoffs from stolen data and ransomware payments are arguably acting like a magnet for attacks on Linux specifically.
One consistent business practice that company executives require of IT employees is never to shut down servers and workstations unless necessary system patching must be accomplished. Computer downtimes for security maintenance have to be scheduled, often weeks in advance, to accommodate a business peak.
"You don't know how long you have been vulnerable to an attack. So, you need to close that security gap as soon as you are aware of it. Taking five or six weeks to patch those types of vulnerabilities is just a godsend for malware writers," Correia explained.
That just allows breached systems to be read or open for the taking. That's just an awful position to be in, especially when you are not patching because you don't have the authorization to take down your system.
"This happens a lot in the enterprise," he added.
First and foremost, systems must be kept up to date. If you take three months to patch a vulnerability, that doesn't cut it. You are giving up way too much time for that vulnerability to be exploited," he warned.
For instance, the Log4j is almost two years since disclosure. Yet, there are still vulnerable systems because businesses take too long to apply patches, he added.
Worker Negligence Has Its Rewards
Another reason behind the increasing rate of Linux malware is uninformed and poorly prepared employees. To drive his point home, Correia used as an example of a recent breach at LastPass.
That breach happened exactly because an IT employee accessed company networks from a home computer that ran applications with all patches unapplied. Not just the IT employee's home system was compromised, but so were LastPass servers as well.
"So, if you put all this together, you need to move the data to a central location. You need to have computers audited and properly secured, and your servers need to be accessed from different types of operating systems safely," Correia said.
Cybersecurity practitioners tend to create the illusion that everyone always does the best practices, whatever that means, he said. Often, they create the illusion that everyone just does everything right, he said, pointing out that such a scenario seldom exists.
In the real world, most companies are struggling with just the basics. Companies will have one or two IT guys that get called in when the website goes down, when an email is suspicious, or something like that. They do not have dedicated security teams. They do not have best practices in place, and disaster recovery plans, and all of that," he noted.
Going Beyond the Linux Security Surface: Q&A
LinuxInsider talks to Joao Correia about growing Linux malware cases.
His ideas reflect how difficult it is to manage multiple-platform computing. Having been a sysadmin for so long, he knows why people can't or don't patch every day. They simply cannot take down systems without stakeholders becoming angry and then looking at it as if it were just the cost and not the benefit for the company.
Nevertheless, despite its out-of-the-box built-in defenses, the Linux OS cannot be ignored.
LinuxInsider: What can enterprise Linux users do to make the operating system harder than it is?
João Correia: Well, when you're discussing baseline protection, you need to cover more effectively; you can't be leveraging the same practices you were 20 years ago when you had a fraction of the vulnerabilities we do today — and you have to be quicker in those types of things.
Change how you patch. If that is a problem because it is intrusive, then you need to figure out different ways of doing that. That is the absolute bare minimum basic thing that you could do to make security better.
How Good Is Live Patching?
Correia: One of the things that we do here at TuxCare is to provide kernel care. But it's a way to keep your systems up to date without disruption, so you don't have to make systems have to reboot; you don't have to restart services, and you still get the updated version of the software you use.
Why more enterprises are not doing that?
Correia: It's very new technology, and companies are not very good at changing their ways of working. They still patch like 20 years ago when we had big servers that were monolithic, and virtualization did not exist.
The IT security landscape has changed dramatically within a very short period of time. You need to adapt the way you do things to just be able to survive in it.
We are not getting into all the other advanced firewalls, tools, and vulnerability scanners that come after this. This is just covering your bases by running up-to-date software that you use. Because at the end of the day, when malicious actors are creating malware, ransomware, and viruses, they look for an easy way to enter a system. So, if you patch all the other ones but leave one open, that is where they will come through.
Is the attack surface of enterprise Linux more vulnerable to attacks compared to off-site or personal Linux users?
Correia: Exactly the same attack surface. You're running the same Linux kernel and probably running the same versions of the software that are there on enterprise computers. The only difference is that there is a lack of all other security measures probably in place on the enterprise network, like application firewalls and traffic analysis.
On the other hand, you probably don't have as much valuable data on your systems at home. So even though you may be less secure, you are also less of an appetizer for a malicious threat actor because they will be able to extract less value from you.
What is the security status of Chromebooks, which run ChromeOS based on Linux?
Correia: Google put some secret sauce into the Chromebooks that add security in the terms of sandboxing of the processes, separation of roles for accounts, and a secure boot process. You could do all that on a Linux system. Therefore, you could have the Linux system use the same type of security mechanisms used within ChromeOS. You could also add appropriate open-source tools on the Linux system to get close to that kind of security level.
What can Linux users not in particular IT do to lock up further how they use the Linux operating system?
Correia: Possibly not out of the box. It probably needs you to mess about to get there. But with all of the core functionality which exists on one side, you can do it on the other side.
It can pretty much be done on any Linux distribution, and all you need to do is install the apps for your own particular distribution. Nothing special or mystical about ChromeOS, per se. Well, it may not come configured with those settings, but you can get that level of security necessary to achieve that on a regular Linux box.
You have put emphasis on the fact that enterprise Linux must adhere to security basics. What does a general user of Linux look at as his or her basics?
Correia: Things such as maintaining your system up-to-date. If you have a notice that updates are pending, do those updates right away. More often than not, they will include very important security updates.
Most distributions of Linux you can download today have a pretty good set of defaults in terms of security. It's probably not going to be government-spec, but it should be good enough assuming you keep your system up to date.
Non-business Linux users will occasionally still need to reboot their systems to apply the updates. Do not wait for the next time you turn on the computer. Take the updates as soon as they are available.
Security First, No Matter the Platform
Indeed, with any new information system, this face of technology continually changes the face of cybersecurity threats. Not even Linux, often considered relatively secure, is free from malware attacks, thus opening a new concern for vigilance in enterprise and personal users.
While patching will always be the best weapon in this arsenal, Joao Correia correctly argues that this approach needs a new look too, by security basics. Challenges do not only lie with new forms of threats but also in outdated security practices that have lost relevance in an evolving environment.
From individual employees' responsibility to big corporate IT departments, addressing Linux security touches on several different dimensions. It is not just a case of setting up sophisticated firewalls and Vulnerability Scanners; rather, it involves an individual culture of security that adapts to the changing dangers as they arise.
Ultimately, it does boil down to the fact that no operating system is battleproof; hence, users of either enterprise server or personal laptop versions of Linux must be updated, proactive, and treat security as a continuous process rather than a one-time setup.
Comments