Report: Linux malware and cloud misconfigurations top cybersecurity threats

A new report published by Trend Micro revealed that Linux malware and cloud misconfigurations make up some of the top cybersecurity threats facing organizations over the first half of 2022.

Trend Micro’s midyear cybersecurity report, “Defending the Expanding Attack Surface,” highlighted some of the key threats that dominated the first six months of the year, such as malware-as-a-service (MaaS), ransomware-as-a-service (RaaS), cloud misconfigurations, and cryptocurrency mining attacks.

Linux malware

According to the Trend Micro report, ransomware attacks against Linux systems in the first half of 2022 spiked 75% over the first half of 2021.

Last July, LockBit 2.0 ransomware-as-a-service (RaaS) developed and added Linux-based malware used to target vulnerable VMWare ESXi virtual machines. According to a Federal Bureau of Investigation (FBI) alert, the threat actors used both publicly available and custom tools to exfiltrate data followed by encryption using the Lockbit malware.

Moreover, TrendMicro discovered another Linux-based malware variant dubbed Cheerscrypt that targeted ESXi servers and was also based on leaked Babuk source code.

Other RaaS threats

In addition to LockBit, two other Linux malware strains, Conti and BlackCat, also showed a significant increase in RaaS cyberattacks over the previous year, according to Trend Micro’s Smart Protection Network:

Source: Trend Micro Smart Protection Network

Earlier this year, the FBI had released a report on BlackCat (also known as ALPHV) RaaS, that had compromised at least 60 entities worldwide as of March 2022. BlackCat was also the first ransomware group that had used RUST, a secure programming language designed for performance and reliable concurrent processing.

Cloud misconfigurations

Attackers also looked to actively exploit misconfigurations in cloud-based infrastructure, such as containers and/or Kubernetes deployments.

“In recent years, cloud-based containers have enabled organizations to optimize their processes and development cycles. Because of the ubiquity of these containers and the fact that many such platforms are misconfigured, they continue to be targeted by cybercriminals,” Trend Micro explained in the report.

“Earlier this year, we investigated Kubernetes clusters that were publicly exposed via port 10250 and found that 243,469 cluster nodes were exposed and identified on Shodan. Out of these, approximately 600 nodes returned the ‘200 – OK’ notification when queried,” Trend Micro added.

As a result, an attacker could abuse such nodes by installing malware via the kubelet API.

Readers can also check out the full 50-page Trend Micro report here.

Related Articles