Saturday, February 8, 2025
HomeLinuxHackers Abuse Native Linux Tools to Launch Attacks On Linux Systems

Hackers Abuse Native Linux Tools to Launch Attacks On Linux Systems

Published on

SIEM as a Service

Follow Us on Google News

Across a wide variety of organizations around the world, container adoption has shown signs of becoming mainstream over the last few years.

Since container orchestration projects like Kubernetes and other tools available in the cloud have been developed in recent years, a wave of transformations has occurred in how organizations operate. 

The application of microservices-based architectures rather than monolithic architectures is a feature that has become increasingly popular in the development of distributed systems.

As a consequence of these changes, however, there has also been an increase in the attack surface, which is a problem. Specifically through security misconfigurations and vulnerabilities introduced during deployment that lead to security threats and compromises.

Because of this, hackers are launching attacks on Linux environments by exploiting native Linux tools. 

Attacks Using Legitimate Tools

There is typically a standard exploitation chain that is followed by an attacker when attacking a Linux-based system. The first step in gaining access to an environment is for an attacker to exploit a vulnerability. 

According to the Trend Micro report, in order to gain access to further areas of the compromised system, an attacker may follow different paths:-

  • The current environment of the organization is described by enumerating its context.
  • Data exfiltration from an environment that contains sensitive information.
  • Disabling the application and causing a denial-of-service attack.
  • Downloading miners and mining cryptocurrency.
  • Experimenting with other techniques, such as:-
  • Privilege Escalation
  • Lateral Movement
  • Persistence
  • Credential Access

Threat actors use various tools that come bundled with Linux distributions to accomplish this goal. Here below we have mentioned the tools that are abused:-

  • curl
  • wget
  • chmod
  • chattr
  • ssh
  • base64
  • chroot
  • crontab
  • ps
  • pkill

Decoding strings encoded in base64 format is done with the base64 tool, which is a Linux utility. In order to avoid detection, attackers often use base64 encoding to obfuscate their payloads and commands.

Users’ bash shell commands are logged in their .bash history file, which is located in their home directory. An attacker chose to make use of the Visual One workbench, chroot, and base64 utilities to execute malicious code.

The chroot tool is used to change the root to the directory supplied (in this case, /host), where the underlying host’s file system is mounted within the container.

Recommendations

There is no doubt that attackers are using tools and utilities that are inherent to an OS, so defenders will have to think about what controls they want to have in place during the different phases of the attack so that they can stay ahead of the attackers.

Here below we have mentioned all the recommendations to mitigate such threats:-

  • Make sure to use distroless images.
  • Cloud One Workload Security – Application Control.
  • Make sure that unrecognized software is blocked until explicit permission has been given.
  • Until explicitly blocked, allow unrecognized software to run on your system.

Download Free SWG – Secure Web Filtering – E-book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Ubuntu Officially Available on the Updated Windows Subsystem for Linux

Ubuntu has announced its availability on Microsoft’s new tar-based Windows Subsystem for Linux (WSL)...

Chinese Hackers Attacking Linux Devices With New SSH Backdoor

A sophisticated cyber espionage campaign attributed to the Chinese hacking group DaggerFly has been...

Android Security Update Fixes Linux Kernel RCE Flaw Allow Read/Write Access

On February 3, 2025, Google published its February Android Security Bulletin, which addresses a...