With 90% of multi-cloud environments running on Linux-based systems and current malware countermeasures mostly focused on addressing Windows-based threats, attackers have found a golden opportunity to strike as cybercriminals are increasingly targeting Linux-based operating systems, according to latest research from VMware.
The company’s new report, “Exposing Malware in Linux-based Multi-Cloud Environments,” shows ransomware is evolving to target Linux host images used to spin workloads in virtualized environments. Attackers are looking for the most valuable assets in cloud environments to inflict the most damage to the target, as exhibited in DarkSide’s ransomware attack, which crippled Colonial Pipeline’s networks causing a national gasoline shortage in the U.S.
Cybercriminals are also looking for instant monetary rewards often by cryptojacking— where criminals secretly use a victim’s computing power to generate cryptocurrencies against their will. Cryptojacking attacks are often focused on mining the Monero currency (or XMR). The VMware Threat Analysis Team (TAU) discovered 89% of cryptominers used XMRig-related libraries. Since these types of attacks do not completely disrupt the operations of cloud environments, they are more difficult to detect.
Related: What The Colonial Pipeline Ransomware Attack Says About Infrastructure Security
Attackers are also using malware, webshells and remote access tools to gain access to Linux systems, VMware says. One of the primary implants used by attackers is Cobalt Strike, according the VMware’s research. Cobalt Strike is a commercial penetration testing and red team tool, and recent variant of the Linux-based Vermilion Strike.
VMware TAU discovered more than 14,000 active Cobalt Strike Team Servers on the internet between February 2020 and November 2021. The fact that RATs like Cobalt Strike and Vermilion Strike have become a commodity tool for cybercriminals poses a significant threat to enterprises.
Now, organizations must place a greater priority on threat detection.
“As attacks targeting the cloud continue to evolve, organizations should adopt a Zero Trust approach to embed security throughout their infrastructure and systematically address the threat vectors that make up their attack surface,” said Brian Baskin, manager of threat research at VMware in a statement.