Linux security concerns rise as hackers target the OS

If you run identical Windows and Linux computers side by side, it won’t take you long to figure out Windows is the bigger malware draw. That’s something that every IT administrator expects and is prepared for. What’s taking them by surprise, however, is the fact that Linux and other open source software have emerged as serious malware targets in a series of recent attacks. This has raised concerns about Linux security front and center

Holes in software that was once considered safe are now being exposed and exploited at will. The reason it’s probably taken so long for hackers to turn their attention to Linux is because you get a lot more targets with Windows, based simply on the number of people using Microsoft’s OS. As more and more people turn to open source, however, those numbers change, and so do the attackers’ agendas.

Low-hanging fruit

This doesn’t in any way mean Linux security has more holes than Windows. It just means admins who are used to having to worry about Windows security now must add Linux security to their list of concerns. While Windows is still the primary target, the fact that IT admins aren’t used to Linux attacks make it an easy target, and easy targets are what attackers like. We can definitely expect larger and more organized attacks on open source and Linux as more hackers turn their attention to it and expose holes in its architecture. We’re also not just talking about Linux security here but also the applications and software that run on it and the vulnerabilities they carry.

Equifax breach

A popular open source MVC framework that’s used to create Java web apps was recently in the news for all the wrong reasons. Apache Struts was the reason for The recently disclosed Equifax break-in that resulted in the private information of 143 million people being stolen, including Social Security numbers, birthdates, addresses, and more. A web application vulnerability in the widely used open source Apache Struts web development framework allowed attackers to break into Equifax and do their damage.

According to Ian Folau, CEO of GitLinks, which specializes in security for open source software, at least half of all Fortune 100 companies use Struts and less than 10 percent of them are monitoring open source. He also believes that many other attacks will be launched using the Struts vulnerability because it will remain largely unpatched due to people’s ignorance.

This is because everyone is so used to the fact that attackers target Windows that they’ve effectively created a blindside for themselves. He also adds that without proper monitoring, even if these companies wanted to update their versions of Struts, they would have a hard time figuring out which applications were using Struts in the first place.

Now, even though the vulnerability was first discovered and patched back in early March, Equifax didn’t install the patch until after the attack. Sounds a lot like closing the barn after the horse has escaped, and that’s why almost every list of best practices to avoid a breach normally begins with “use the latest version.” Most people who use Linux and open source take it for granted that these systems are secure — and that’s true to an extent, or as long as you take the time and trouble to at least keep them updated.

Default credential woes

If you aren’t bothering to monitor or update your open source software, chances are you haven’t bothered to change default credentials either, which is another very common source of attacks. An example is the recent Linux/Shishiga malware that uses four different protocols (SSH, Telnet, HTTP and BitTorrent) and Lua scripts for modularity, according to an analysis by security researchers at ESET. Shishiga relies on the use of weak, default credentials in its attempts to plant itself on insecure systems with a rather common hacker tactic.

This involves the age-old method of using a built-in password list that allows the malware to try a variety of different passwords to see if any of them work. Eset advises to prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.

More Linux security attacks

Image result for Anonymous_at_Scientology_in_Los_Angeles

Another recent attack on Linux security and open source software was the “BlueBorne” attack vector that exploits vulnerabilities in Bluetooth implementations. It can take over a device and use it to spread malware or ransomware and become part of a botnet. At risk are almost 5.3 billion devices that use Windows, iOS, Android and Linux-based operating systems. Examples of a few Linux devices at risk are Samsung’s Gear S3 smartwatch, a few Samsung televisions, drones, Tizen devices, and some Linux desktop PCs and servers.

A recent analysis by WatchGuard Technologies of over 26,500 active UTM appliances around the world has some interesting revelations. The study revealed that while overall malware detection dropped by 52 percent from Q4 2016, Linux malware comprised more than a third (36 percent) of the top threats observed during the period. Among the top 10 threats detected were Linux/Exploit, Linux/Downloader and Linux/Flooder, the latter related to generic DDoS tools.

Linux Exploit is a generic term for Linux trojans that usually infect devices before scanning related networks for others hosting Telnet or SSH services, attempting to authenticate against the system using default credentials. An example is the infamous Mirai malware.

Dnsmasq flaws

To add to the misery, Google researchers have discovered at least three software bugs in a popular software package that could render devices running Linux, FreeBSD, OpenBSD, NetBSD, macOS (and proprietary firmware) vulnerable to attackers. The software package in question is called Dnsmasq and quite commonly used to make it easier for networked devices to communicate using the domain name system and the Dynamic Host Configuration Protocol.

What makes things worse is the fact that it comes pre-packaged in Android, Ubuntu, and most other Linux distributions, and it can also run on a lot of other operating systems as well as in router firmware. Google researchers in a blog post stated that out of the seven vulnerabilities found in Dnsmasq, three were flaws that allowed the remote execution of malicious code.

Address space layout randomization is a key protection feature of Dnsmasq that’s designed to prevent malicious payloads from executing code. One of the code execution flaws along with a separate information leak bug discovered by Google can be used together to bypass this protection feature. Google executives further commented on the flaw calling it a “trivial-to-exploit, DHCP-based, stack-based buffer overflow vulnerability.”

Patching vulnerabilities

Google researchers have been working together with Dnsmasq to patch the vulnerabilities in version 2.78, which is available here. Android has also been affected by one of the less-severe bugs, and a fix was distributed in the October Android security update that was pushed out to affected devices in November. This just goes to show that as soon as you think you are safe and become complacent, you are exactly the type of target a hacker is looking for.

Hopefully, it will no longer be taken for granted that Linux and open source software is “inherently safe” and only Windows systems need active security and monitoring. In a day and age where hackers have the same technology and equipment at their disposal as the rest of the world, nothing can be taken for granted anymore. As the attacks get more frequent and patches become more common, it won’t be long before Linux security woes and all open source software are monitored and updated with the same vigilance as Windows systems.

Photo credit: Wikimedia

About The Author

1 thought on “Linux security concerns rise as hackers target the OS”

  1. The most recent attacks on Linux, only became available due to the fact, that many companies use very bad practices to become easily vulnerable. And this is indeed not the problem of Linux.

    If you follow these guidelines, hackers will always have an really hard time:

    * Always stay up to date, even if some asshole boss gives advice to bad update practices.

    * Use a system wide restricted shell, or set firejail as your user shell. Mostly important for workplaces.

    * Use only free drivers/firmware if you can. Always try to reduce/mitigate untrusted propriety software.

    * Use strong passwords and public-key based ssh access, with knockd and fail2ban. Some devices like Nitrokeys are very good too.

    * Make use of volume separation, to restrict volumes with ro, nodev, noexec, and nosuid flags. The usage of chattr +i file, is nice too.

    * Use extensions like uBlock-Origin, uMatrix and NoScript in your browser, as a first line of defence. And always run browsers with firejail and apparmor profiles.

    * Use strong encryption everywhere, with solid solutions like gpg or dm-crypt/LUKS. Also full disk encryption to mitigate direct local attacks against the entire os.

    * Use only independently developed upstream distros like Debian, with very strong security guidelines, reproducible builds and great communities.

    * Use always a minimal set of packages, to reduce the overall attack surface. Less packages results in less vulnerabilities. Even a minimal custom kernel is useful to reduce attacks against the kernel itself.

    * Use solutions like firejail, tomoyo, and apparmor, to run many pieces of software more savely. Also have a look at systemd, which has sandboxing features too for all system services, or system wide settings like NoNewPrivileges. Also use usbauth/usbguard against rogue devices.

    Security in general is always a process, and Linux has the potential, to be the most secure os out there.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top