Linux environments are considered safer and more secure than windows environments. For the accessibility and security reasons, cloud services, container-based infrastructure, and Virtual Machines (VMs) are developed in Linux environments. Considering this, threat actors have started targeting Linux vulnerabilities and with sophisticated malware. As predicted by Rewterz Threat Intel Report, Ransomware has increased exponentially this year (although it just the Q1 of 2022). Ransomware groups are targeting Linux hosts to infect virtual-machine containers or images. Cobalt Strike, is a legitimate Pen test (penetration testing) toolkit that deploys “beacons” on infected devices to perform malicious behaviors. It is commonly used in ransomware attacks. The tool has become a way to manage compromised machines. So much so that Linux based versions of the tool which are protocol-compatible versions have been developed and deployed.
“Most research has been focused on the Windows side, but we are now seeing an increase in attacks on the Linux side and especially against multicloud infrastructure,” Threat Analyst from VMware says. “Most of the cases we see involve misconfiguration at the hypervisor level or, at the server level, shared accounts, shared passwords, and poorly configured role-based access controls.”
“The main attack surface area is still stolen credentials, which has the advantage that it takes a longer time to understand that a compromise has happened,” he says. “The login could seem absolutely normal and an attacker gets access to resources, but it’s not until things start going in the wrong direction that the breach is actually identified.”