Trend Micro has released its Linux Threat Report for the first half of 2021, revealing the most common security flaws exploited on the open-source operating system.
The company analysed more than 13 million events identified and flagged by its sensors in its Deep Security and Micro Cloud One Workload Security products.
From this data, it identified the top 10 malware families, which it then consolidated into threat types.
The most common threat types were coinminers, followed by web shells, ransomware, and trojans.
“Given that the cloud holds a seemingly endless amount of computing power, hackers have a clear motive in stealing computing resources to run their cryptocurrency mining activities,” Trend Micro explained.
“We also saw ransomware as a prevalent Linux threat, and DoppelPaymer, a modern ransomware family that utilised double extortion tactics, is the most prevalent ransomware family based on our data.”
“In our monitoring of the ransomware landscape, we have also recently seen other ransomware variants that were targeting Linux systems such as RansomExx, DarkRadiation, and even DarkSide,” it added.
The top four Linux distributions where these malware families were found were CentOS Linux, CloudLinux Server, Ubuntu Server, and Red Hat Enterprise Linux Server.
The charts below show the prevalence of the top four threat types and the top four distributions targeted.
Trend Micro also dissected 50 million IPS (Intrusion Prevention System) hits from more than 100,000 unique Linux hosts running Trend Micro Cloud One – Workload Security to identify the most commonly exploited vulnerabilities in the OS.
It looked at the triggers for vulnerabilities known to be actively exploited or have a known proof of concept and identified the top 15 Common Vulnerabilities and Exposures (CVE).
These vulnerabilities are listed in the table below, sorted by the volume of triggers.
|Top 15 Linux vulnerabilities on Trend Micro Cloud One Workload Security|
|Apache Struts2 remote code execution (RCE) vulnerability||CVE-2017-5638||Critical|
|Apache Struts 2 REST plugin XStream RCE vulnerability||CVE-2017-9805||High|
|Drupal Core RCE vulnerability||CVE-2018-7600||Critical|
|Oracle WebLogic server RCE vulnerabilities||CVE-2020-14750||Critical|
|WordPress file manager plugin RCE vulnerability||CVE-2020-25213||Critical|
|vBulletin ‘subwidgetConfig’ unauthenticated RCE vulnerability||CVE-2020-17496||Critical|
|SaltStack salt authorization weakness vulnerability||CVE-2020-11651||Critical|
|Apache Struts OGNL expression RCE vulnerability||CVE-2017-12611||Critical|
|Eclipse Jetty chunk length parsing integer overflow vulnerability||CVE-2017-7657||Critical|
|Alibaba Nacos AuthFilter authentication bypass vulnerability||CVE-2021-29441||Critical|
|Atlassian Jira information disclosure vulnerability||CVE-2020-14179||Medium|
|Nginx crafted URI string handling access restriction bypass vulnerability||CVE-2013-4547||N/A|
|Apache Struts 2 RCE vulnerability||CVE-2019-0230||Critical|
|Apache Struts OGNL expression RCE vulnerability||CVE-2018-11776||High|
|Liferay portal untrusted deserialization vulnerability||CVE-2020-7961||Critical|
Trend Micro said even though there were are an estimated 20,000 vulnerabilities reported in 2020 alone — many of which affect Linux or the Linux application stack — only 200 of those vulnerabilities have publicly known exploits and were observed.
“Striving to prioritise the patching of these vulnerabilities should be an approach baked into any organization’s security practices,” Trend Micro stated.