If you run identical Windows and Linux computers side by side, it won’t take you long to figure out Windows is the bigger malware draw. That’s something that every IT administrator expects and is prepared for. What’s taking them by surprise, however, is the fact that Linux and other open source software have emerged as serious malware targets in a series of recent attacks. This has raised concerns about Linux security front and center
Holes in software that was once considered safe are now being exposed and exploited at will. The reason it’s probably taken so long for hackers to turn their attention to Linux is because you get a lot more targets with Windows, based simply on the number of people using Microsoft’s OS. As more and more people turn to open source, however, those numbers change, and so do the attackers’ agendas.
This doesn’t in any way mean Linux security has more holes than Windows. It just means admins who are used to having to worry about Windows security now must add Linux security to their list of concerns. While Windows is still the primary target, the fact that IT admins aren’t used to Linux attacks make it an easy target, and easy targets are what attackers like. We can definitely expect larger and more organized attacks on open source and Linux as more hackers turn their attention to it and expose holes in its architecture. We’re also not just talking about Linux security here but also the applications and software that run on it and the vulnerabilities they carry.
A popular open source MVC framework that’s used to create Java web apps was recently in the news for all the wrong reasons. Apache Struts was the reason for The recently disclosed Equifax break-in that resulted in the private information of 143 million people being stolen, including Social Security numbers, birthdates, addresses, and more. A web application vulnerability in the widely used open source Apache Struts web development framework allowed attackers to break into Equifax and do their damage.
According to Ian Folau, CEO of GitLinks, which specializes in security for open source software, at least half of all Fortune 100 companies use Struts and less than 10 percent of them are monitoring open source. He also believes that many other attacks will be launched using the Struts vulnerability because it will remain largely unpatched due to people’s ignorance.
This is because everyone is so used to the fact that attackers target Windows that they’ve effectively created a blindside for themselves. He also adds that without proper monitoring, even if these companies wanted to update their versions of Struts, they would have a hard time figuring out which applications were using Struts in the first place.
Now, even though the vulnerability was first discovered and patched back in early March, Equifax didn’t install the patch until after the attack. Sounds a lot like closing the barn after the horse has escaped, and that’s why almost every list of best practices to avoid a breach normally begins with “use the latest version.” Most people who use Linux and open source take it for granted that these systems are secure — and that’s true to an extent, or as long as you take the time and trouble to at least keep them updated.
Default credential woes
If you aren’t bothering to monitor or update your open source software, chances are you haven’t bothered to change default credentials either, which is another very common source of attacks. An example is the recent Linux/Shishiga malware that uses four different protocols (SSH, Telnet, HTTP and BitTorrent) and Lua scripts for modularity, according to an analysis by security researchers at ESET. Shishiga relies on the use of weak, default credentials in its attempts to plant itself on insecure systems with a rather common hacker tactic.
This involves the age-old method of using a built-in password list that allows the malware to try a variety of different passwords to see if any of them work. Eset advises to prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.
More Linux security attacks
Another recent attack on Linux security and open source software was the “BlueBorne” attack vector that exploits vulnerabilities in Bluetooth implementations. It can take over a device and use it to spread malware or ransomware and become part of a botnet. At risk are almost 5.3 billion devices that use Windows, iOS, Android and Linux-based operating systems. Examples of a few Linux devices at risk are Samsung’s Gear S3 smartwatch, a few Samsung televisions, drones, Tizen devices, and some Linux desktop PCs and servers.
A recent analysis by WatchGuard Technologies of over 26,500 active UTM appliances around the world has some interesting revelations. The study revealed that while overall malware detection dropped by 52 percent from Q4 2016, Linux malware comprised more than a third (36 percent) of the top threats observed during the period. Among the top 10 threats detected were Linux/Exploit, Linux/Downloader and Linux/Flooder, the latter related to generic DDoS tools.
Linux Exploit is a generic term for Linux trojans that usually infect devices before scanning related networks for others hosting Telnet or SSH services, attempting to authenticate against the system using default credentials. An example is the infamous Mirai malware.
To add to the misery, Google researchers have discovered at least three software bugs in a popular software package that could render devices running Linux, FreeBSD, OpenBSD, NetBSD, macOS (and proprietary firmware) vulnerable to attackers. The software package in question is called Dnsmasq and quite commonly used to make it easier for networked devices to communicate using the domain name system and the Dynamic Host Configuration Protocol.
What makes things worse is the fact that it comes pre-packaged in Android, Ubuntu, and most other Linux distributions, and it can also run on a lot of other operating systems as well as in router firmware. Google researchers in a blog post stated that out of the seven vulnerabilities found in Dnsmasq, three were flaws that allowed the remote execution of malicious code.
Address space layout randomization is a key protection feature of Dnsmasq that’s designed to prevent malicious payloads from executing code. One of the code execution flaws along with a separate information leak bug discovered by Google can be used together to bypass this protection feature. Google executives further commented on the flaw calling it a “trivial-to-exploit, DHCP-based, stack-based buffer overflow vulnerability.”
Google researchers have been working together with Dnsmasq to patch the vulnerabilities in version 2.78, which is available here. Android has also been affected by one of the less-severe bugs, and a fix was distributed in the October Android security update that was pushed out to affected devices in November. This just goes to show that as soon as you think you are safe and become complacent, you are exactly the type of target a hacker is looking for.
Hopefully, it will no longer be taken for granted that Linux and open source software is “inherently safe” and only Windows systems need active security and monitoring. In a day and age where hackers have the same technology and equipment at their disposal as the rest of the world, nothing can be taken for granted anymore. As the attacks get more frequent and patches become more common, it won’t be long before Linux security woes and all open source software are monitored and updated with the same vigilance as Windows systems.
Photo credit: Wikimedia