Threat Watch

Chinese Nation-State Hackers Targeting Linux Servers

China: A report by Blackberry found that many Linux servers are being attacked by Chinese state-backed threat actors and have been for roughly ten years. Although only 1.7% of all operating systems across workstations and servers are Linux based, Linux is commonly used on servers throughout enterprises and the top 500 supercomputers in the world. Because of the low amount of Linux based systems and the diversity of distributions and configurations, there are fewer security monitoring products and services available. At least five different Chinese Advanced Persistent Threats (APT’s) have been targeting Linux servers within corporations since 2012. The toolset that researchers discovered on the Linux machines is just as old as the attacks, but because Linux is not at the top of the list for security, they are commonly overlooked, allowing the attackers to remain persistent without being detected.

ANALYST NOTES

Updating and securing Linux servers may be overlooked by some organizations, especially if the servers are not client-facing. Linux servers that provide Virtual Private Networking (VPN), web server or database functionality are typically connected to the Internet all the time. That makes Linux servers attractive targets for attackers, knowing that the attackers can reliably use the server as a “beachhead” or reliable point to launch attacks on the rest of the company’s network, while it is possible the organizations will not notice. It is important for defenders not to overlook the security on their Linux servers. It is important to apply security updates as they are available and monitor system logs for any unusual behavior that could indicate an attack. Utilizing an endpoint protection service that supports Linux, such as Binary Defense Managed Endpoint Detection and Response service, will allow defenders to be alerted to an abnormal behavior occurring on these servers and prevent initial compromises from causing long-term damage. More on this report can be read here: https://www.forbes.com/sites/daveywinder/2020/04/07/linux-security-chinese-state-hackers-have-compromised-holy-grail-targets-since-2012/