Over the last few years, the global workforce has undergone a significant change in how it operates. The change was accelerated when the pandemic hit as many businesses were forced to adapt or die. The regular internal network and data center structure had to change. There was also a const advantage that was there which helped push this along. Many small to medium sized business were already there and happily took advantage of the change in the market. As we have said many, many times, attackers follow trends, so they followed this one as well.
We started to see more Linux based malware and attack tools show up. These appear to be the opening moves in new campaigns more than truly sophisticated attacks. Much like the probing actions in the start of a war. Attack groups tend to be reserved in their actions; they want a big payoff for their efforts, so it is not likely they have spent a lot of time developing tools at this stage but are looking to see what the landscape has to offer. As with their attacks on Windows, they are looking for misconfigurations and unpatched vulnerabilities in Linux based environments. This is less about skillset than it is not expending unnecessary resources.
Items that play in their favor are the uninformed belief that Linux systems are inherently less vulnerable to attack and that cloud services are more secure. Both misconceptions end up leaving holes that attackers and get into and compromise an environment. Once a foothold is established the attacker looks to compromise as much of the environment as possible (just like with Windows). Depending on the purpose of the campaign they will want to ensure they have continued access to the environment as well. They will look to mimic existing connections as much as possible so they can avoid detection.
Currently the big operations seem to be focused on ransomware and data exfiltration as well as cryptomining using cloud resources. Both can have a solid payout for the group in question and are not complicated to roll out. Another area of interest for attackers is the compromise of container clusters. Either through compromising the original image or manipulating the management software that controls code distribution and updates for the cluster itself. In environments like this being able to inject arbitrary code at will is the goal and it can allow an attacker to maintain persistence across multiple platforms and updates.
Organizations should review their security tools, cloud configurations, and set up monitoring of accounts and connections to identify and prevent these types of attacks. This will be different from what they might be used to in a Windows centric environment, but it still should be done. It is also very important to limit administrative access to these environments to a small number of users. These user connections and the endpoints used to connect should also be secured from compromise to help prevent access into your environment.
We are likely to see an increase in attacks against all operating systems continue to rise as attackers broaden their view. The idea that one operating system is more secure than another is and always has been very misleading. It is less about the actual security of the OS than it is payoff for attackers. The operating systems that can pay the most or have the biggest impact with the least amount of actual effort is going to be the primary target. Every OS, regardless of who develops it, should be secured against attack using the proper tools to prevent exploitation by threat groups. There really is no other way to go.