Penguin is in danger: APT targets Linux users

09/20/2020 12:51:31 PM

Looks like the Penguin is in danger as of late. Kasperksy has recently found a trend more and more threat actors are executing targeted attacks against Linux-based devices while developing more Linux-focused tools.

The latest press release from the cybersecurity company has said that over a dozen APT actors have – such as Barium, Sofacy, the Lamberts, and Equation, as well as more recent campaigns such as LightSpy by TwoSail Junk and WellMess, to name a few – had been observed to use Linux malware or some Linux-based modules for the past eight years. Diversification of their arsenal with Linux tools enables threat actors to conduct operations more effectively and with a wider reach.

There is a significant trend in many countries towards using Linux as a desktop environment by big enterprise companies, as well as in governmental entities, that push threat actors to develop malware for this platform. The myth that Linux, being a less popular operating system, is unlikely to be targeted by malware, invites additional cybersecurity risks.

While targeted attacks on Linux-based systems are still uncommon, there is certainly malware designed for them—including webshells, backdoors, rootkits, and even custom-made exploits. Moreover, the small number of attacks is misleading as the successful compromise of a server running Linux often leads to significant consequences. These include attackers not only being able to access the infected device but also endpoints running Windows or macOS, thus providing wider access for attackers which might go unnoticed.

One example of this is Turla—a prolific Russian-speaking group known for its covert exfiltration tactics—which has significantly changed its toolset over the years, including the use of Linux backdoors. According to our telemetry, A new modification of the Penguin_x64 Linux backdoor that was reported earlier in 2020 has infected dozens of servers in Europe and the US, as recently as July 2020.

Another item if the said instance is Lazarus, a Korean-speaking APT group that continues to diversify its toolset and develop non-Windows malware. Kaspersky recently reported on the multi-platform framework called MATA and in June 2020, researchers analyzed new samples linked to the Lazarus “Operation AppleJeus” and “TangoDaiwbo” campaigns, used in financial and espionage attacks. The samples studied included Linux malware.

“The trend of enhancing APT toolsets was identified by our experts many times in the past, and Linux-focused tools are no exception. Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems. We advise cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations,” comments Yury Namestnikov, head of Kaspersky’s Global Research and Analysis Team (GReAT) in Russia.

For Linux users to spare themselves from these cyberattacks,  Kaspersky researchers recommend implementing the following measures:

• Maintain a list of trusted software sources and avoid using unencrypted update channels
• Do not run binaries and scripts from untrusted sources. Widely advertised ways to install programs with commands like “curl https://install-url | sudo bash” pose a security nightmare
• Make sure your update procedure is effective and set up automatic security updates
• Spend time to set up your firewall properly: make sure it logs network activity, block all ports you don't use, and minimize your network footprint
• Use key-based SSH authentication and protect keys with passwords
• Use 2FA (two-factor authentication) and store sensitive keys on external token devices (e.g. Yubikey)
• Use an out-of-band network tap to independently monitor and analyze network communications of your Linux systems
• Maintain system executable file integrity and review configuration file changes regularly
• Be prepared for insider/physical attacks: use full disk encryption, trusted/safe boots, and put tamper-evident security tape on your critical hardware
• Audit the system and check logs for indicators of attack
• Run penetration tests on your Linux setup
• Use a dedicated security solution with Linux protection such as Integrated Endpoint Security [https://www.kaspersky.com/enterprise-security/endpoint]. This provides web and network protection to detect phishing, malicious web sites and network attacks as well as device control, allowing users to define rules for transferring data to other devices
• Kaspersky Hybrid Cloud Security allows protection for DevOps, enabling integration of security into CI/CD platforms and containers, and the scanning of images against supply-chain attacks  

Read the full overview of Linux APT attacks and a deeper explanation of the security recommendations on Securelist.com.

Author: slickmaster | © 2020 The SlickMaster's Files