Linux 🐧.. No more safe .. windfall coming !

Here we had covered lot many threats , Vulnerability related to Windows a lot and covered little about linux . It’s not mean that later OS is safer .. it’s started raining threats in linux. Researchers predicted still worst have to come .

Linux users have been warned to up their security protection following new research which found the system could be facing a significant rise in cyber threats.

A rise in the amount of criminals targeting Linux, which is often thought to be safer and more secure than other operating systems.

Linux security

The trend in attacks is particularly worrying as more organisations choose Linux for strategically important servers and systems over Windows.

Researchers found Linux systems could potentially be at risk from advanced persistent threats (APTs) and targeted attacks from hackers that have created specifically Linux-focused tools.

A dozen APT actors, including dangerous threat groups such as Lazarus, have been observed to use Linux malware or some Linux-based modules in recent years, diversifying their attacks across multiple operating systems in a bid to maximize returns.

The company notes that there is a myth that Linux, being a less popular operating system, is unlikely to be targeted by malware. However this is often not the case, with smaller, more targeted attacks becoming the norm, especially in systems using multiple operating systems, where access to an infected device could allow hackers into endpoints running Windows or macOS.

Lazarus, which is reportedly based in North Korea, the group used Linux malware to carry out widespread attacks and attempts to target multiple organisations in the US and Europe.

“Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems. Cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations.”

Maintaining a list of trusted software sources and avoid using unencrypted update channels, and not running binaries and scripts from untrusted sources will be some of the escape route from both g threat

Lemon duck targets linux

The Lemon_Duck cryptomining malware was first spotted in June 2019 by researchers from Trend Micro while targeting enterprise networks. The threat was gaining access over the MS SQL service via brute-force attacks and leveraging the EternalBlue exploit.

Upon infecting a device, the malware delivers an XMRig Monero (XMR) miner.

The malware is being distributed via large-scale COVID-19-themed spam campaigns, the messages use an RTF exploit targeting the CVE-2017-8570 Microsoft Office RCE to deliver the malicious payload.

The authors of the Lemon_Duck cryptomining malware have also added a module that exploits the SMBGhost (CVE-2020-0796) Windows SMBv3 Client/Server RCE.

Experts noticed that the threat actors exploited the CVE-2020-0796 flaw to collect information on compromised machines instead of running arbitrary code on the vulnerable systems.

Lemon_Duck miner uses a port scanning module that searches for Internet-connected Linux systems listening on the 22 TCP port used for SSH Remote Login, then launches SSH brute force attacks.

The brute-force module performs port scanning to find machines listening on port 22/tcp (SSH Remote Login). When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords.If the attack is successful, the attackers download and execute malicious shellcode.

Then the Lemon_Duck malware attempts to gain persistence by adding a cron job and collects SSH authentication credentials from the /.ssh/known_hosts file in the attempt to infect more Linux devices across the network.

Upon infection, the Lemon_Duck attackers attempt to disable SMBv3 compression through the registry and block the standard SMB network ports of 445 & 135 to prevent other threat actors from exploiting the same vulnerability. It’s new form of cryptojacker. Getting sophisticated