APT groups are increasingly executing targeted attacks against Linux-based devices as well as developing more Linux-focused tools, according to an investigation by Kaspersky.
This is as a result of a growing number of organizations’ selecting Linux ahead of Windows to run their strategically important servers and systems, and the perception that the Linux operating system is safer and less likely to be targeted by malware as it is less popular.
However, threat-actors have been observed to adapt their tactics to take advantage of this trend, and Kaspersky noted that “over a dozen APT actors have been observed to use Linux malware or some Linux-based modules” during the past eight years.
These include notorious groups such as Turla, Lazarus, Barium, Sofacy, the Lamberts and Equation. Kaspersky highlighted the example of Russian speaking APT group Turla using Linux backdoors as part of its changing toolset in recent years.
The cybersecurity company added that while targeted Linux-based systems are still uncommon, there is still malware designed to target them, including webshells, backdoors, rootkits and even custom-made exploits.
This means organizations should not be complacent about the threat posed, especially as the consequences of a successful compromise of a server running Linux are often severe. This can include attackers gaining access to the endpoints running Windows or macOS in addition to the infected device.
Yury Namestnikov, head of Kaspersky’s Global Research and Analysis Team (GReAT) in Russia commented: “The trend of enhancing APT toolsets was identified by our experts many times in the past, and Linux-focused tools are no exception. Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems. We advise cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations.”
Commenting on the findings, Boris Cipot, senior security engineer at Synopsys said: "It is not a big shock that Linux-based systems also have vulnerabilities and are subject to attacks. There is a common misconception which suggests that Linux-based systems are unbreachable, or that a Mac cannot be affected by malware. Unfortunately, this is not accurate.”
Earlier today, ESET announced it has discovered an entirely new type of Linux malware designed to attack a specific VoIP platform.