Biggest Linux security exploits revealed

Trend Micro has released its Linux Threat Report for the first half of 2021, revealing the most common security flaws exploited on the open-source operating system.

The company analysed more than 13 million events identified and flagged by its sensors in its Deep Security and Micro Cloud One Workload Security products.

From this data, it identified the top 10 malware families, which it then consolidated into threat types.

The most common threat types were coinminers, followed by web shells, ransomware, and trojans.

“Given that the cloud holds a seemingly endless amount of computing power, hackers have a clear motive in stealing computing resources to run their cryptocurrency mining activities,” Trend Micro explained.

“We also saw ransomware as a prevalent Linux threat, and DoppelPaymer, a modern ransomware family that utilised double extortion tactics, is the most prevalent ransomware family based on our data.”

“In our monitoring of the ransomware landscape, we have also recently seen other ransomware variants that were targeting Linux systems such as RansomExx, DarkRadiation, and even DarkSide,” it added.

The top four Linux distributions where these malware families were found were CentOS Linux, CloudLinux Server, Ubuntu Server, and Red Hat Enterprise Linux Server.

The charts below show the prevalence of the top four threat types and the top four distributions targeted.

Trend Micro also dissected 50 million IPS (Intrusion Prevention System) hits from more than 100,000 unique Linux hosts running Trend Micro Cloud One – Workload Security to identify the most commonly exploited vulnerabilities in the OS.

It looked at the triggers for vulnerabilities known to be actively exploited or have a known proof of concept and identified the top 15 Common Vulnerabilities and Exposures (CVE).

These vulnerabilities are listed in the table below, sorted by the volume of triggers.

Top 15 Linux vulnerabilities on Trend Micro Cloud One Workload Security 
Apache Struts2 remote code execution (RCE) vulnerability CVE-2017-5638 Critical
Apache Struts 2 REST plugin XStream RCE vulnerability CVE-2017-9805 High
Drupal Core RCE vulnerability CVE-2018-7600 Critical
Oracle WebLogic server RCE vulnerabilities CVE-2020-14750 Critical
WordPress file manager plugin RCE vulnerability CVE-2020-25213 Critical
vBulletin ‘subwidgetConfig’ unauthenticated RCE vulnerability CVE-2020-17496 Critical
SaltStack salt authorization weakness vulnerability CVE-2020-11651 Critical
Apache Struts OGNL expression RCE vulnerability CVE-2017-12611 Critical
Eclipse Jetty chunk length parsing integer overflow vulnerability CVE-2017-7657 Critical
Alibaba Nacos AuthFilter authentication bypass vulnerability CVE-2021-29441 Critical
Atlassian Jira information disclosure vulnerability CVE-2020-14179 Medium
Nginx crafted URI string handling access restriction bypass vulnerability CVE-2013-4547 N/A
Apache Struts 2 RCE vulnerability CVE-2019-0230 Critical
Apache Struts OGNL expression RCE vulnerability CVE-2018-11776 High
Liferay portal untrusted deserialization vulnerability CVE-2020-7961 Critical

Trend Micro said even though there were are an estimated 20,000 vulnerabilities reported in 2020 alone — many of which affect Linux or the Linux application stack — only 200 of those vulnerabilities have publicly known exploits and were observed.

“Striving to prioritise the patching of these vulnerabilities should be an approach baked into any organization’s security practices,” Trend Micro stated.

Now read: iPhones hit by updated Pegasus spyware

Latest news

Partner Content

Show comments


Share this article
Biggest Linux security exploits revealed