Sunday, May 19, 2024

Hackers Abuse Native Linux Tools to Launch Attacks On Linux Systems

Across a wide variety of organizations around the world, container adoption has shown signs of becoming mainstream over the last few years.

Since container orchestration projects like Kubernetes and other tools available in the cloud have been developed in recent years, a wave of transformations has occurred in how organizations operate. 

The application of microservices-based architectures rather than monolithic architectures is a feature that has become increasingly popular in the development of distributed systems.

As a consequence of these changes, however, there has also been an increase in the attack surface, which is a problem. Specifically through security misconfigurations and vulnerabilities introduced during deployment that lead to security threats and compromises.

Because of this, hackers are launching attacks on Linux environments by exploiting native Linux tools. 

Attacks Using Legitimate Tools

There is typically a standard exploitation chain that is followed by an attacker when attacking a Linux-based system. The first step in gaining access to an environment is for an attacker to exploit a vulnerability. 

According to the Trend Micro report, in order to gain access to further areas of the compromised system, an attacker may follow different paths:-

  • The current environment of the organization is described by enumerating its context.
  • Data exfiltration from an environment that contains sensitive information.
  • Disabling the application and causing a denial-of-service attack.
  • Downloading miners and mining cryptocurrency.
  • Experimenting with other techniques, such as:-
  • Privilege Escalation
  • Lateral Movement
  • Persistence
  • Credential Access

Threat actors use various tools that come bundled with Linux distributions to accomplish this goal. Here below we have mentioned the tools that are abused:-

  • curl
  • wget
  • chmod
  • chattr
  • ssh
  • base64
  • chroot
  • crontab
  • ps
  • pkill

Decoding strings encoded in base64 format is done with the base64 tool, which is a Linux utility. In order to avoid detection, attackers often use base64 encoding to obfuscate their payloads and commands.

Users’ bash shell commands are logged in their .bash history file, which is located in their home directory. An attacker chose to make use of the Visual One workbench, chroot, and base64 utilities to execute malicious code.

The chroot tool is used to change the root to the directory supplied (in this case, /host), where the underlying host’s file system is mounted within the container.


There is no doubt that attackers are using tools and utilities that are inherent to an OS, so defenders will have to think about what controls they want to have in place during the different phases of the attack so that they can stay ahead of the attackers.

Here below we have mentioned all the recommendations to mitigate such threats:-

  • Make sure to use distroless images.
  • Cloud One Workload Security – Application Control.
  • Make sure that unrecognized software is blocked until explicit permission has been given.
  • Until explicitly blocked, allow unrecognized software to run on your system.

Download Free SWG – Secure Web Filtering – E-book


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles