{"id":19289,"date":"2022-06-08T06:10:22","date_gmt":"2022-06-08T14:10:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/06\/08\/news-13022\/"},"modified":"2022-06-08T06:10:22","modified_gmt":"2022-06-08T14:10:22","slug":"news-13022","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/06\/08\/news-13022\/","title":{"rendered":"5 Linux malware families SMBs should protect themselves against"},"content":{"rendered":"

Credit to Author: Bill Cozens| Date: Wed, 08 Jun 2022 13:43:32 +0000<\/strong><\/p>\n

There\u2019s no shortage of reasons why an SMB might use Linux to run their business: There are plenty of distros to choose from, it\u2019s (generally) free, and perhaps above all \u2014 it\u2019s secure.<\/p>\n

The common wisdom goes that Linux malware is rare, and for the most part this is true. Thanks to its built-in security defenses, strict user privilege model, and transparent source code, Linux enjoys far fewer malware infections than other operating systems.<\/p>\n

But unfortunately, there\u2019s more to Linux security than just leaning back in your chair and sipping pi\u00f1a coladas. There are dozens of Linux malware families out there today threatening SMBs with anything from ransomware to DDoS attacks.<\/p>\n

In this post, we\u2019ll give you an overview of five Linux malware families your SMB should be protecting itself against \u2014 and how they work.<\/p>\n

<\/a>1.   Cloud Snooper<\/h2>\n

In early 2020, researchers found something weird<\/a> going on with Linux servers hosted by Amazon Web Services (AWS). Specifically, they noticed some servers were receiving some anomalous inbound traffic.<\/p>\n

In a perfect world, the firewalls of our servers would only allow web traffic in from trusted ports. With the Cloud Snooper malware, however, untrusted web traffic sneaks past firewalls and enters right into Linux servers \u2014 a big no-no.<\/p>\n

<\/a>How it works<\/h3>\n

The hackers pull this off with a rootkit<\/a>, a set of malware tools that gives someone the highest privileges in a system. Attackers use the rootkit to then install a backdoor trojan<\/a> which can steal sensitive data from the servers.<\/p>\n

At a high level, Cloud Snooper gets past firewall rules by sending innocent-looking requests to the web server which actually contain hidden instructions for the backdoor trojan. From there, the attackers can do anything from log computer activity, steal data, or delete files.<\/p>\n

It\u2019s still unclear how the malware is installed in the first place, though the researchers think attackers break into servers using SSH.<\/p>\n

<\/a>2.   QNAPCrypt<\/h2>\n

If you wake up one morning and find that all of your files are encrypted along with a ransom note demanding a Bitcoin payment \u2014 you just may have been hit with QNAPCrypt.<\/p>\n

QNAPCrypt is ransomware that specifically targets Linux-based NAS (Network Attached Storage) servers. It gets its name from QNAP, a popular vendor for selling NAS servers.<\/p>\n

<\/a>How it works<\/h3>\n

QNAPCrypt exploits a vulnerability in QNAP NAS running HBS 3<\/a> (Hybrid Backup Sync) to allow remote attackers to log in to a device. Once launched, the ransomware iterates through a list of files and encrypts them with an encryption algorithm, with the .encrypt<\/strong> extension being appended to affected files.<\/p>\n

According to recent posts in a BleepingComputer forum<\/a>, ransom payments are about .024BTC (~$720 USD as of June 2022).<\/p>\n

<\/a>3.   Cheerscrypt<\/h2>\n

Does your SMB use VMware ESXi servers? If so, you better watch out for Cheerscrypt, another Linux-based ransomware.<\/p>\n

<\/a>How it works<\/h3>\n

Upon execution, Cheerscrypt hijacks the ESXCLI tool \u2014 which allows for remote management of ESXi hosts \u2014 and uses it to terminate all VM processes. From there, hackers can encrypt all of your VMware-related files and rename them to the .Cheers<\/strong> extension.<\/p>\n

The ransom note<\/a>, named \u201cHow to Restore Your Files.txt\u201d, threatens to expose company data if the ransom is not paid.<\/p>\n

<\/a>4.   HiddenWasp<\/h2>\n

HiddenWasp is a new strain of Linux malware that remotely controls infected systems with an initial deployment script, a trojan, and a rootkit.<\/p>\n

<\/a>How it works<\/h3>\n

After HiddenWasp installs all of the malware components to your computer, the deployment script begins to execute the trojan and add the rootkit. The rootkit is added then to a given process, where it hides the existence<\/a> of the trojan. The trojan, in turn, helps the rootkit remain operational.<\/p>\n

From there, attackers can execute files, spy on computer usage, change system configurations, and so on \u2014 all while being unseen.<\/p>\n

<\/a>5.   Mirai<\/h2>\n

From manufacturing to healthcare, tons of industries today are using the Internet-of-Things (IoT) to help streamline their operations \u2014 and at the heart of every IoT device is Linux. Mirai, a botnet responsible for the \u201ctakedown of the Internet<\/a>\u201d in 2016, takes advantage of this by hijacking IoT hardware to launch DDoS attacks.<\/p>\n

<\/a>How it works<\/h3>\n

Mirai is a self-replicating worm that scans for and infects vulnerable IoT devices that use default or weak usernames and passwords. Once infected, these compromised IoT devices can be told what to do via a central set of command and control (C&C) servers, specifically to launch DDoS attacks.<\/p>\n

While Mirai itself may not be around anymore, its source code lives on in several other botnets variants <\/a>including Hajime, SYLVEON, and SORA.<\/p>\n

<\/a>Stop Linux malware from getting a hold on your organization<\/h2>\n

It may be true that Linux is more secure than most other operating systems, but make no mistake \u2014 Linux malware exists, and can have devastating effects on SMBs.<\/p>\n

While we have given a brief overview of five Linux malware families, there are dozens more out there, each with their own unique payload<\/a>. From ransomware and rootkits to trojans and botnets, there\u2019s a slew of threats SMBs using Linux need to protect themselves against.<\/p>\n

With Malwarebytes EDR for Linux<\/a>, you can simplify protection, detection, and response capabilities across your entire organization. Even brand-new, unidentified Linux malware can typically be eliminated before it can impact your data center servers.<\/p>\n

Additionally, applying in-depth insights from our proprietary Linking Engine remediation technology, Malwarebytes thoroughly and permanently removes both the infection and any malware artifacts, delivering lethal \u201cone-and-done\u201d remediation.<\/p>\n

Learn more<\/a> about Malwarebytes EDR.<\/p>\n

Read the data sheet<\/a>.<\/p>\n

The post 5 Linux malware families SMBs should protect themselves against<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Bill Cozens| Date: Wed, 08 Jun 2022 13:43:32 +0000<\/strong><\/p>\n

In this post, we\u2019ll give you an overview of five Linux malware families your SMB should be protecting itself against \u2014 and how they work.<\/p>\n

The post 5 Linux malware families SMBs should protect themselves against<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10410,1001,21882,3765,11002,12321],"class_list":["post-19289","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-botnet","tag-business","tag-linux-malware","tag-ransomware","tag-rootkit","tag-smb"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19289"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19289\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19289"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}