New research on Monday by Trend Micro found that 76% of attacks on Linux systems in the cloud are web-based.
The leading types of malware included the following: coinminers (24.5%), web shells (19.9%), ransomware (11.5%), and trojans (9.6%).
Of the attacks on web-based systems, 21.2% are attacks on the Open Web Application Security Project (OWASP) Top 10. Of those attacks, 27.1% were from SQL injections, 23.1% from command injections, 21.8% were caused by cross-site scripting, and 17.5% were the result of insecure deserialization.
Overall, the report also said that Censys.io, a search engine for internet device scanned the Internet on July 6, 2021, found some 14 million results when searching for exposed devices connected to the Internet and running any Linux OS.
It's no surprise that the majority of these attacks are web-based because every website is different and written by different developers with varied skill sets, said Shawn Smith, director of infrastructure at nVisium. Combine this with the reality that not all developers are security gurus, and hackers have an incredibly alluring target.
“Web servers are one of the most common services to expose to the internet because the majority of the world interacts with the internet through websites,” Smith said. “There are other areas exposed — like FTP or IRC servers — but the vast majority of the world uses websites as their main contact point to the internet. As a result, this is where attackers will focus to get the biggest return on investment for their time spent.”
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, said like any operating system, security depends entirely on how security teams, configure or manage the operating system. Each new Linux update tries to improve security, however, to get the most value security teams must enable and configure it correctly.
“The state of Linux security today is rather good and has evolved in a positive way with much more visibility and security features built in,” Carson said. “Nevertheless, like many operating systems, security teams must install, configure and manage it with security in mind as that’s how cybercriminals take advantage, via the human touch.”
John Bambenek, threat intelligence advisor at Netenrich, added that the LAMP stack (Linux, Apache, MySQL, PHP) democratized the Internet so anyone can set up a web application.
“The problem with that is that anyone can now set up a web app,” said Bambenek. “While we are still waiting for the year of Linux on the Desktop, it’s important for organizations to use best practices for their web presence. Typically, this means staying on top of CMS patches/updates and routine scanning to find and remediate SQL injection vulnerabilities.”