Cryptojacking targeting Linux-based systems

Cryptojacking and evolving ransomware attacks are not only sophisticated and harder to detect but are now also targeting Linux-based operating systems.
14 February 2022
  • VMware report shows cybercriminals expanding their scope by targeting Linux-based operating systems
  • Ransomware is evolving to target Linux host images used to spin workloads in virtualized environments
  • 89% of cryptojacking attacks use XMRig-related libraries

Cryptojacking and ransomware attacks are causing big problems for organizations today. Not only are these attacks becoming more sophisticated and harder to detect, the damage that comes with them can also be very devastating to an organization

As businesses move workloads to the cloud, the Linux-based operating system is a common cloud operating system. The core part of the cloud is now a target by cybercriminals to infiltrate the multi-cloud environment.

With most malware countermeasures focusing on addressing Windows-based threats, the public and private deployments are now vulnerable to cyberattacks targeting Linux-based workloads.

According to VMware’s threat report, Exposing Malware in Linux-based Multi-Cloud Environments, cybercriminals are now using malware to target Linux-based operating systems. These include:

  • Ransomware is evolving to target Linux host images used to spin workloads in virtualized environments;
  • 89% of cryptojacking attacks use XMRig-related libraries; and
  • More than half of Cobalt Strike users may be cyber criminals, or at least using Cobalt Strike illicitly.

For Giovanni Vigna, senior director of threat intelligence at VMware, cybercriminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible.

“Rather than infecting an endpoint and then navigating to a higher value target, cybercriminals have discovered that compromising a single server can deliver the massive payoff and access they’re looking for. Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data. Unfortunately, current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks on Linux-based operating systems,” commented Vigna.

As malware targeting Linux-based operating systems increases in both volume and complexity amid a rapidly changing threat landscape, organizations must place a greater priority on threat detection. VMware’s Threat Analysis Unit (TAU) analyzed the threats to Linux-based operating systems in multi-cloud environments, discovering ransomware, cryptominers, and remote access tools as the main problem.

Ransomware, Cryptojacking, and Remote Access Tools

TAU reported that ransomware targeting the cloud is often combined with data exfiltration, implementing a double-extortion scheme that improves the odds of success. A new development shows that ransomware is evolving to target Linux host images used to spin workloads in virtualized environments.

Attackers are now looking for the most valuable assets in cloud environments to inflict the maximum amount of damage to the target. Examples include the Defray777 ransomware family, which encrypted host images on ESXi servers, and the DarkSide ransomware family, which crippled Colonial Pipeline’s networks and caused a nationwide gasoline shortage in the U.S.

When it comes to cyrptojacking, most attacks focus on mining the Monero currency (or XMR), and VMware TAU discovered that 89% of cryptominers used XMRig-related libraries. For this reason, when XMRig-specific libraries and modules in Linux binaries are identified, it is likely evidence of malicious cryptomining behavior. VMware TAU also observed that defense evasion is the most commonly used technique by cryptominers. Unfortunately, because cryptojacking attacks do not completely disrupt the operations of cloud environments like ransomware, they are much more difficult to detect.

When it comes to gaining control and persisting within an environment, malware, webshells, and Remote Access Tools (RATs) can all be implants used by attackers in a compromised system to allow for remote access. One of the primary implants used by attackers is Cobalt Strike, a commercial penetration testing and red team tool, and its recent variant of Linux-based Vermilion Strike.

Since Cobalt Strike is such a ubiquitous threat on Windows, the expansion out to the Linux-based operating system demonstrates the desire of threat actors to use readily available tools that target as many platforms as possible.

More than 14,000 active Cobalt Strike Team Servers on the Internet between February 2020 and November 2021 were discovered by TAU. The total percentage of cracked and leaked Cobalt Strike customer IDs is 56%, meaning that more than half of Cobalt Strike users may be cyber criminals, or at least using Cobalt Strike illicitly. The fact that RATs like Cobalt Strike and Vermilion Strike have become a commodity tool for cybercriminals poses a significant threat to enterprises.

“Since we conducted our analysis, even more ransomware families were observed gravitating to malware targeting Linux-based systems, with the potential for additional attacks that could leverage the Log4j vulnerabilities,” said Brian Baskin, manager of threat research at VMware.

Baskin also pointed out that as attacks targeting the cloud continue to evolve through methods like cryptojacking, organizations should adopt a Zero Trust approach to embed security throughout their infrastructure and systematically address the threat vectors that make up their attack surface.