Linux Systems Caught In Targeted Attack Crosshairs

Linux, the operating system built and maintained via a cadre of volunteers that make up the open source community, has been relatively immune to dangerous threats. New research into a menacing targeted attack toolkit built for Windows PCs, however, identified components that suggest Linux users are also in its crosshairs.

An analysis of new malware samples associated with the Turla targeted attack toolkit uncovered the first components focused on the Linux operating system. Clues uncovered in the malware parallel the complex code associated with the Snake cyberespionage operation, which is said to have infiltrated some systems operated by the U.S. Department of Defense, as well as defense contractors and other organizations in the U.K. and other Western European countries, according to new Kaspersky Lab analysis of Turla released on Monday.

Kaspersky Lab said the Linux components are supported by a hidden network of communications and have broad functionality to execute a variety of commands and be remotely controlled by the attackers. The malware, believed to be fairly new, doesn't need deep "root" access into systems to remain stealthy, according to Kaspersky, and appears to support ongoing cyberespionage activity, functioning as a file server.

[Related: SMBs Not Immune To Targeted Attacks]

"Although Linux variants from the Turla framework were known to exist, we haven't seen any in the wild yet," according to the Kaspersky Lab analysis. "This specific module appears to have been put together from public sources with some added functionality from the attackers."

Linux systems and open source implementations are not immune to attack. Security researchers have focused heavily on open source software in 2014. Heartbleed, Shellshock and Poodle exposed the widespread use of open source components in networking devices and other embedded systems.

The media attention and awareness level of these threats forced vendors to scramble to issue patches, with more than 800 products impacted by the Shellshock flaw alone, according to a vulnerability report sent out on Tuesday by patch management vendor Secunia. The vendor said a new round of OpenSSL updates in August got less attention and, as a result, vendors issued far fewer security updates.

"With the hype gone, less than 20 vendors took the time to disclose and patch some 50 products," Secunia said in its report, adding that some products impacted by the threats continue to go undisclosed.

Solution providers said well-funded targeted attack campaigns have the resources to gain access to just about any system, regardless of the protections in place to defend against dangerous attacks. Cyberattackers don't typically focus on Linux because there are fewer people using it and, as a result, there is less money to be made, said Jason Tierney, founder and CEO of Bethesda, Md.-based BeyondIT Consulting LLC. The footprint is smaller and the business case can't be made to develop exploits to target it, Tierney said.

"Cybercriminals go where the money is, but targeted attack campaigns and government, cyberespionage attacks are a completely different story," Tierney said. "If there's a need to get at a specific target, you bet the resources are available to get at it."

Secunia's report lists Google Chrome at the top of the list of discovered and disclosed vulnerabilities in recent months. Apple, Oracle and VMware also are consistently on the vulnerability disclosure list.

Secunia also identified IBM products as frequently needing security updates to address known vulnerabilities, due to the company's process of bundling products with third-party software that is often vulnerable, such as Java and OpenSSL.

PUBLISHED DEC. 9, 2014