Uptycs' threat research team has observed several instances of Linux malware where the attackers leverage the inbuilt commands and utilities for a wide range of malicious activities.
In this post, we’ll take a look at the Linux commands and utilities commonly used by attackers and how you can use Uptycs EDR detection capabilities to find if these have been used in your environment.
Despite the fact that Linux server endpoints comprise 90% of cloud workloads and a majority of on-premises enterprise workloads, they don’t usually get as much attention as productivity endpoints. Most EDR solutions focus on end users and don’t meet the unique requirements for production Linux servers, such as the need for 100% uptime and low resource consumption.
SecOps and IT administrators have seen plenty of information regarding the GRUB2 BootHole vulnerability. In addition to BootHole, several low to moderate vulnerabilities were also discovered and fixed. While a key recommendation for mitigation is to install OS updates and patches, vendor patches should be carefully tested and incrementally applied to vulnerable assets. Updating the Secure Boot Forbidden Signature Database (dbx) has caused issues in the past. Initial GRUB2 patches from Red Hat caused boot issues for some RHEL and CentOS machines.
Infrastructure security at the server layer is a critical aspect of your organization’s overall security posture. When you know the best Linux resources to use, you can prevent attackers from taking over servers or compromising your databases.
Linux endpoint security is a more prevalent topic now than it was a decade ago. With the rapid growth of the SaaS industry, many significant applications in cloud environments now rely on Linux.
For security analysts working on Linux, the lack of flexible, transparent and comprehensive tools is an ongoing problem. As is often the case, security professionals are turning to open-source solutions that can be more easily customized to solve specific problems.