As the most common cloud operating system, Linux is a core part of digital infrastructure and is quickly becoming an attacker’s ticket into a multi-cloud environment. Current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks that target Linux-based workloads.
VMware has released a threat report titled “Exposing Malware in Linux-Based Multi-Cloud Environments.” Key findings that detail how cybercriminals are using malware to target Linux-based operating systems include:
- Ransomware is evolving to target host images used to spin workloads in virtualized environments;
- 89 percent of cryptojacking attacks use XMRig-related libraries; and
- More than half of Cobalt Strike users may be cybercriminals, or at least using Cobalt Strike illicitly.
“Cybercriminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible,” said Giovanni Vigna, senior director of threat intelligence at VMware. “Rather than infecting an endpoint and then navigating to a higher value target, cybercriminals have discovered that compromising a single server can deliver the massive payoff and access they’re looking for. Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data. Unfortunately, current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks on Linux-based operating systems.”
As malware targeting Linux-based operating systems increases in both volume and complexity amid a rapidly changing threat landscape, organizations must place a greater priority on threat detection.
In this report, the VMware Threat Analysis Unit (TAU) analyzed the threats to Linux-based operating systems in multi-cloud environments: ransomware, cryptominers, and remote access tools.
