Linux might not be as safe as we thought

Linux security might be put at risk by its users, who are just as subject to social engineering attacks by bad actors as anyone else.
19 May 2023

Linux servers are known for their better security compared to commercial operating systems. However, what’s the easiest way for hackers to gain access to Linux systems?

Linux users.

Pakistani-based threat actor Transparent Tribe is targeting Indian government agencies in exactly this way. The group has been active since 2013; they don’t pose a sophisticated threat, but they are persistent, continuously developing new operational strategy.

Also tracked as APT36, Operation C-Major, PROJECTM and Mythic Leopard, Transparent Tribe has a record of targeting Indian government organizations, military personnel, defense contractors, and educational entities.

Social engineering is the primary attack vendor used by Transparent Tribe. Linux users are the weakest part of its security – they might be lulled into complacency by the assumption that the operating system alone is protection enough.

At the same time, Linux users tend to be in positions of power or importance within an agency – they’re often developers or systems administrators. Most recently, the Pakistan-based hackers targeted the two-factor authentication tool used by the Indian government, Kavach, to deliver the Linux backdoor called Poseidon.

“Poseidon is a second-stage payload malware associated with Transparent Tribe,” Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week.

“It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways.”

This is indicative of a new approach from the Pakistani APT (advanced persistent threat), expanding its target beyond Windows and Android ecosystems.

Linux users are its biggest security risk

The malware is primarily distributed through malicious websites disguised as legitimate Indian government sites.

“Uptycs research found that the malware infrastructure, such as malicious domains, is linked to earlier APT-36 campaigns. This highlights the group’s continued focus on the aforementioned Indian targets. Repercussions of this APT-36 attack could be significant, leading to loss of sensitive information, compromised systems, financial losses, and reputational damage.”

Some best practices for protection from this type of attack include:

  • Be cautious of unsolicited emails; verify sender’s authenticity before opening attachments or clicking links.
  • Regularly update software and operating systems with the latest patches and security updates.
  • Use reputable antivirus software and keep it updated.
  • Use strong and unique passwords; enable multifactor authentication where possible.

Uptyc has also developed a list of IOCs to help determine whether or not an organization is infected.

Particularly in high-risk workplaces, security needs to be at the forefront of operations, even if the operating system appears to be secure.