Linux vulnerabilities: How unpatched servers lead to persistent backdoors
Vulnerability management is a challenge
Humans make mistakes, software has bugs and some of these bugs are exploitable vulnerabilities. The existence of vulnerabilities in software is not a new problem, but as the volume of software in existence grows, so does the number of exploitable vulnerabilities.
In the last couple of years, over 22,000 new vulnerabilities have been discovered each year. This does not include all of the vulnerabilities that have been previously discovered and reported. Currently, over 139,000 CVEs exist, and not every publicly disclosed vulnerability is assigned a CVE.
Keeping up with the flood of new vulnerabilities is a challenge for any organization. In 2019 alone, an average of 61 new vulnerabilities were reported daily. Even though an organization would likely be affected by a fraction of these, it is necessary to check if each vulnerability is applicable; if it is, the organization must test the patch, apply it and verify that it is applied successfully. This assumes that an organization is currently up-to-date on patching, and many are not.
To alleviate the patching burden, many organizations use a triage process to prioritize patch application. However, it seems that often “the squeaky wheel gets the grease” and some systems are overlooked, making them and the organization vulnerable to exploitation.
Linux servers are a prime target of exploitation
When planning a cyberattack, the best targets are those that are easily exploited yet have a wealth of valuable information stored on them. Linux servers are an excellent target for cybercriminals for a variety of different reasons:
- Not user-facing: Linux servers typically are located in a data center or server room somewhere and have little or no direct interaction with users. This lack of direct interaction means that they often receive less of a security focus. If no one is logging into them on a regular basis or clicking on phishing emails on them, it is much easier to forget to check if they require any updates.
- High availability requirements: Servers typically must have very high availability since downtime means a loss of employee productivity or availability of customer-facing services. High availability requirements mean that the server is likely to be online and reachable when a cybercriminal is performing an attack and that vulnerability patching and other updates are harder to perform, since they require downtime to complete.
- Easy data exfiltration: Linux servers often comprise an organization’s back-end systems and either host databases or have access to them. An attacker with access to a Linux server can access this data, and command and control traffic and data exfiltration can easily be disguised as web traffic.
Cybercriminals leverage unpatched vulnerabilities for persistent access
The threat of cybercriminals exploiting Linux servers is not a theoretical one. A report by Blackberry researchers detailed how a cybercrime group linked to China has been engaged in a hacking campaign focused on Linux servers since 2012.
These cybercriminals gain access to Linux servers by scanning for ones with known vulnerabilities, exploiting these vulnerabilities and establishing a backdoor. Once on the system, the hackers target intellectual property and other sensitive data.
Hacking into systems to steal intellectual property is nothing new for many cybercrime groups. This particular campaign is interesting because of the vulnerabilities that the hackers exploit. The tools and techniques used by the hackers have largely not been updated since the beginning of the campaign and use vulnerabilities that have existed and have had patches available since 2012 and 2013.
The fact that this campaign is still active and successful demonstrates the fact that many organizations overlook or fail to patch vulnerabilities in their Linux servers. Otherwise, either the cybercrime group’s access would be limited to those machines that were exploited and had a backdoor installed when the vulnerabilities were new or the group would have been forced to update the tools and vulnerabilities in use to exploit Linux servers today.
Improving server security
Older vulnerabilities, such as the ones used by this cybercrime group, may seem unimportant or be forgotten since they do not appear on today’s list of the latest vulnerabilities. However, cybercriminals often actively exploit older vulnerabilities. Cybercrime is a business like any other, and it doesn’t make financial sense to invest time and resources in developing new exploits when the old ones work just as well.
Performing updates to close security holes consumes significant time and resources, but it is necessary for security. However, the burden of patching can be decreased by minimizing the attack surface (by uninstalling or disabling unneeded applications and functionality) and taking advantage of “virtual patching” functionality in firewalls or runtime application self-protection (RASP) solutions.
- 37.3% of Vulnerabilities in 2019 Had Available Exploit Code or a Proof of Concept, RiskBased Security
- CVE List Home, cve.mitre.org
- These hackers have been quietly targeting Linux servers for years, ZDNet