[BreachExchange] Attackers Increasingly Target Linux in the Cloud

[Sophia Kingsbury]

https://www.darkreading.com/threat-intelligence/attackers-increasingly-target-linux-in-the-cloud

Linux has been the favored operating system of system administrators and
hackers, but now the operating system has become a significant target of
cybercriminals as well, with malware — such as Web shells and coin miners —
running from Linux containers and about 200 different Linux vulnerabilities
targeted in attacks.

That data, from security firm Trend Micro, underscores how containers have
taken off and some of the most popular ones have a significant number of
vulnerabilities. The official Python image, for example, has 482
vulnerabilities — 32 of them critical — while the official WordPress image
has 402 vulnerabilities, 26 of them critical.

Companies need to ask themselves how they intend to secure their container
infrastructure, says Aaron Ansari, vice president of cloud security at
Trend Micro.

"If there are vulnerabilities, how are you going to patch them?" he says,
adding that companies that do not have a quick time-to-patch need to take
alternative steps. "That is when you need to have something to defend your
systems — especially your critical ones. If it is a critical system, you
need to find some way to secure it."

Driven by the widespread adoption of cloud, containerization, and
infrastructure as code, Linux adoption has taken off. More than 77% of all
websites run Unix, with the majority — and likely the vast majority —
running Linux, according to Web technology survey firm W3Techs. Among Trend
Micro customers, companies deploying containers and virtual servers into
cloud infrastructure, 61% use Linux and 39% use Windows, the company said.
Almost three-quarters of Linux installations use Red Hat Enterprise Linux,
AWS Linux, Ubuntu, or CentOS.

Little wonder, then, that 95% of all security events detected by intrusion
prevention systems (IPSs) targeted those operating systems, with 43% of
attacks and probes aimed at Amazon Linux, 29% at Red Hat Enterprise Linux,
15% at various flavors of Ubuntu, and 8% at CentOS, according to Trend
Micro data. The data represents events logged by 100,000 unique Linux hosts.

"Most of the applications and workloads exposed to the internet run
applications, [with] web application attacks happen to be the most common
attack vector in our telemetry," Trend Micro states in the report. "If
launched successfully, web app attacks can allow hackers to execute
arbitrary scripts, compromise secrets, or modify, extract, and even destroy
data."

The data comes from Trend Micro's data lake combining the detections across
all the company's products, augmented with additional data from honeypots,
sensors, and other telemetry. The company logged 13 million events linked
to malware, which mainly included Linux containers that had malicious code
and either were downloaded by an attacker or mistakenly downloaded by a
developer or operations teams. Coin miners, Web shells, and ransomware made
up the majority of the malicious containers, accounting for 26%, 20%, and
12%, respectively, of the events logged by Trend Micro.

The company also analyzed the more than 50 million events of attempted
exploitation, of which 40% targeted the Apache Struts Web application
framework and 36% targeted the Netty client-server framework. The most
common vulnerabilities are more than 3 years old, but companies are often
slow to refresh their container infrastructure, says Ansari.

"Organizations that are using infrastructure as code, and they are
deploying the same infrastructure across containers time and time again,"
he says. "Those environments are not based on the most up-to-date images.
If you are putting out a CentOS kernel that you have used for the past two
years, then the need to update those images ... is crucial."

Unfortunately, security operations teams are often short on staff and are
slow to update container infrastructure, he says. Attackers are taking
advantage of the failure to pay down security debt — about 20% of attacks
are targeting the OWASP Top 10 vulnerabilities, while two simpler attacks,
brute-force and directory-traversal attacks, are even more common,
accounting for 59% of all attacks.

Companies need to make sure they have the staff, technology, and processes
in place to keep containers up to date and have some runtime controls in
place, Ansari says.

"If you boil it down to our major recommendations, we are asking three big
questions: How secure are your images, can your images be trusted, and do
you have the the proper identity and access?" he says. "A lot of companies
do not have the same capabilities in the cloud as on-premises, and they
need to be aware of that."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210824/381ce87b/attachment.html>