Saturday, November 2, 2024
HomeLinuxHackers Abuse Native Linux Tools to Launch Attacks On Linux Systems

Hackers Abuse Native Linux Tools to Launch Attacks On Linux Systems

Published on

Malware protection

Across a wide variety of organizations around the world, container adoption has shown signs of becoming mainstream over the last few years.

Since container orchestration projects like Kubernetes and other tools available in the cloud have been developed in recent years, a wave of transformations has occurred in how organizations operate. 

The application of microservices-based architectures rather than monolithic architectures is a feature that has become increasingly popular in the development of distributed systems.

- Advertisement - SIEM as a Service

As a consequence of these changes, however, there has also been an increase in the attack surface, which is a problem. Specifically through security misconfigurations and vulnerabilities introduced during deployment that lead to security threats and compromises.

Because of this, hackers are launching attacks on Linux environments by exploiting native Linux tools. 

Attacks Using Legitimate Tools

There is typically a standard exploitation chain that is followed by an attacker when attacking a Linux-based system. The first step in gaining access to an environment is for an attacker to exploit a vulnerability. 

According to the Trend Micro report, in order to gain access to further areas of the compromised system, an attacker may follow different paths:-

  • The current environment of the organization is described by enumerating its context.
  • Data exfiltration from an environment that contains sensitive information.
  • Disabling the application and causing a denial-of-service attack.
  • Downloading miners and mining cryptocurrency.
  • Experimenting with other techniques, such as:-
  • Privilege Escalation
  • Lateral Movement
  • Persistence
  • Credential Access

Threat actors use various tools that come bundled with Linux distributions to accomplish this goal. Here below we have mentioned the tools that are abused:-

  • curl
  • wget
  • chmod
  • chattr
  • ssh
  • base64
  • chroot
  • crontab
  • ps
  • pkill

Decoding strings encoded in base64 format is done with the base64 tool, which is a Linux utility. In order to avoid detection, attackers often use base64 encoding to obfuscate their payloads and commands.

Users’ bash shell commands are logged in their .bash history file, which is located in their home directory. An attacker chose to make use of the Visual One workbench, chroot, and base64 utilities to execute malicious code.

The chroot tool is used to change the root to the directory supplied (in this case, /host), where the underlying host’s file system is mounted within the container.

Recommendations

There is no doubt that attackers are using tools and utilities that are inherent to an OS, so defenders will have to think about what controls they want to have in place during the different phases of the attack so that they can stay ahead of the attackers.

Here below we have mentioned all the recommendations to mitigate such threats:-

  • Make sure to use distroless images.
  • Cloud One Workload Security – Application Control.
  • Make sure that unrecognized software is blocked until explicit permission has been given.
  • Until explicitly blocked, allow unrecognized software to run on your system.

Download Free SWG – Secure Web Filtering – E-book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

10 Best Linux Distributions In 2024

The Linux Distros is generally acknowledged as the third of the holy triplet of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Earth Lusca Using Multiplatform Backdoor to Attack Windows & Linux Machines

Earth Lusca is a suspected China-based cyber espionage group active since at least April...