In today's conversation, Craig Rowland joins us to talk about the often overlooked significance of Linux as a key part of global communications and computing infrastructure, and discuss various types threats targeting Linux systems.
Malware, attackers, and techniques are often very distinct from those seen on Windows; Craig shares insights all of these from his extensive experience both writing and reverse-engineering Linux malware.
Craig is CEO of Sandfly Security, a New Zealand-based provider of Linux threat behavior scanning tools. Full disclosure: John Salomon is a paid consultant to Sandfly Security.
Notes from the video:
03:48 I can't find a source for the 95% figure, but a 2023 ZDNet article says 90%, which seems to be the most common figure: https://www.zdnet.com/article/linux-has-over-3-of-the-desktop-market-its-more-complicated-than-that/
03:55 Percentage of top million websites running Linux is another interesting statistic, which seems to be well above 90%. For example: https://gitnux.org/linux-statistics/
04:08 https://www.linuxinsider.com/story/the-flying-penguin-linux-in-flight-entertainment-systems-65541.html etc. etc.
05:54 France's Gendarmerie Nationale: https://en.wikipedia.org/wiki/GendBuntu
06:40 https://www.zdnet.com/article/linux-not-windows-why-munich-is-shifting-back-from-microsoft-to-open-source-again/
14:10 A propos, F5 has some interesting ways of using web shells as an attack vector: https://www.f5.com/labs/learning-center/web-shells-understanding-attackers-tools-and-techniques
14:40 "attacks on kubernetes" is a fun web search string. Same for "attacks on S3 buckets". Enjoy.
14:56 https://redis.io/solutions/messaging/
15:42 https://en.wikipedia.org/wiki/Patch_Tuesday
17:40 To be fair, Bob in Accounting is a pretty powerful entry point to the organization for various types of cyberattackers.
19:35 Mirai botnet: https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
19:37 NoaBot: https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining
20:35 Chroot (change root directory): https://wiki.archlinux.org/title/chroot
27:42 PuTTY: https://www.putty.org/
29:45 There are several cryptojackers that try to neutralize competing malware, e.g. ChaosRAT https://www.trendmicro.com/en_th/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html or Jenkins https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner
35:30 For example LockBit: https://www.akamai.com/blog/security/learning-from-the-lockbit-takedown
35:37 My mistake - AvosLocker is also a Linux port of Windows malware: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker - HiddenWasp may be a better example: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/hiddenwasp-malware-targets-linux-systems-borrows-code-from-mirai-winnti
35:42 Diamorphine LKM rootkit: https://github.com/m0nad/Diamorphine
36:44 https://core.vmware.com/esxi - an example is ESXiArgs ransomware: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a
38:42 Abuse.ch MalwareBazaar: https://bazaar.abuse.ch/
38:49 Fraunhofer FKIE Malpedia: https://malpedia.caad.fkie.fraunhofer.de
39:35 You could just run a Linux version of the virus aquarium: https://xkcd.com/350/
39:52 A few examples of VM detection: https://www.cynet.com/attack-techniques-hands-on/malware-anti-vm-techniques/
41:15 Joe Sandbox: https://www.joesandbox.com/
42:10 No I won't, because I can't find it. Bit of Baader-Meinhof going on there...
42:59 https://www.youtube.com/@SandflySecurity
Craig on LinkedIn: https://www.linkedin.com/in/craighrowland/
Sandfly Security: https://sandflysecurity.com
Check out the rest of CyAN's media channels on https://cybersecurityadvisors.network/media - and visit us at https://cybersecurityadvisors.network
Intro/outro music courtesy of Studio Kolomna via Pixabay: https://pixabay.com/users/studiokolomna-2073170/
Original video available at https://youtu.be/W-7edx7Le6Y?si=NOoOy1kF3KiVOPUe
Fler avsnitt av Cybersecurity Advisors Network
Visa alla avsnitt av Cybersecurity Advisors NetworkCybersecurity Advisors Network med CyAN Staff finns tillgänglig på flera plattformar. Informationen på denna sida kommer från offentliga podd-flöden.