13 million malware attacks on Linux seen in wild

by Joseph K. Clark

Linux-based operating systems are being targeted more and more frequently by malicious actors, largely thanks to the prevalence of Linux in public cloud workloads. More than 13 million attempted malware attacks on Linux systems were detected between January and June 2021 alone, according to Trend Microanalysis.

In its newly published Linux threat report 2021 1H: Linux threats in the cloud and security recommendations, which is available in full here, Trend Micro’s analysts detail how cybercriminals are following organizations that have upped their use of cloud services during the pandemic.

Because the vast majority of public cloud workloads run on Linux, the operating system has become the critical driver behind virtually every single digital transformation project currently undertaken. As such, this makes the security of Linux environments ever-more critical as malicious actors take an interest.

“It’s safe to say that Linux is here to stay, and as organizations continue to move to Linux-based cloud workloads, malicious actors will follow,” said Aaron Ansari, vice-president of cloud security at Trend Micro.


“We have seen this as a main priority to ensure our customers receive the best security across their workloads, no matter the operating system they choose to run it on.”

Trend Micro found that 25% of malware currently hitting Linux servers are crypto miners. It said it should be no surprise because the cloud holds a “seemingly endless” amount of computing power, making it the perfect environment for illicit cryptocurrency mining.

The second most widespread type of malware seen were web shells, accounting for 20% of attacks – recent and ongoing attacks on Microsoft Exchange servers have highlighted the importance of protecting against web shells.

The third most commonly observed attacks were from ransomware, accounting for 12% of incidents. The most prevalent variety targeting Linux environments was DoppelPaymer, although others, such as RansomExx, DarkRadiation, and DarkSide, were also fairly widespread.

The top Linux distributions impacted by these threats were CentOS Linux, which accounted for just under 51% of incidents – in part because versions 7.4 to 7.9 of CenOS have been end-of-life. CloudLinux Server accounted for 31.2% of incidents, Ubuntu Server for 9.6%, and Red Hat Enterprise Linux Server for 2.7%.

Tim Mackey, the principal security strategist at the Synopsys Cybersecurity Research Centre, said that given the foundational nature of Linux for cloud computing and technologies such as Docker and Kubernetes, a solid understanding of the associated security issues and requirements should be an essential part of a sysadmin’s or SRE’s role in a DevOps team.

“Increasingly, securing Linux systems means securing the application layer and understanding the latent security risks present in pre-packaged runtime environments like those of VMs and containers,” he said. “Addressing these risks requires a systematic approach employing continuous improvement methodologies based on an understanding of how weaknesses in code and configurations contribute to exploitable environments.”

Related Posts