The Linux operating system is becoming increasingly attractive to malicious actors, according to a report by Crowdstrike.
The company's latest threat telemetry data showed that malware for the popular operating system increased by more than a third (35%) in 2021, compared to the previous year.
According to Crowdstrike, Linux is a popular target for cybercriminals due to its popularity with cloud infrastructure developers and web server manufacturers. In addition, it also powers most mobile and IoT devices.
Objective
Of all malware present, just three families account for nearly a quarter (22%) of all Linux-based malware found in 2021. These are XorDDoS, Mirai, and Mozi. Its main purpose is to assimilate target endpoints into a botnet, to be used for Distributed Denial of Service (DDos) attacks.
XorDDoS malware, for example, had 123% more samples in 2021 compared to the previous year, while Mozi grew tenfold over the same period.
The third most popular malware is Mirai and all its offshoots. Crowdstrike says it is a "common ancestor" for many of today's emerging malware samples, such as Sora (33% more), IZIH9 (39%), or Rekai (83%).
DDoS attacks and cryptominers
There are many ways malicious actors can use to attack Linux-powered devices, from finding those with hard-coded credentials, to targeting those with open ports, to those with known and unpatched vulnerabilities.
In the future, things will not improve either. Crowdstrike expects more than 30 billion IoT devices to be connected to the Internet within three years, creating a potentially large attack surface.
A botnet is, as the name suggests, a network of bots that perform specific tasks for their administrator. They are usually loaded with DDoS attacks, but can often be used to mine cryptocurrency. One of the largest and most popular botnets was Mirai, which was used in 2016 to attack domain name server operator Dyn, among other things. Mirai was dismantled three years later, thanks to a joint raid by several law enforcement agencies.