Linux vulnerabilities: How unpatched servers lead to persistent backdoors
Vulnerability management is a challenge
Humans make mistakes, software has bugs and some of these bugs are exploitable vulnerabilities. The existence of vulnerabilities in software is not a new problem, but as the volume of software in existence grows, so does the number of exploitable vulnerabilities.
In the last couple of years, over 22,000 new vulnerabilities have been discovered each year. This does not include all of the vulnerabilities that have been previously discovered and reported. Currently, over 139,000 CVEs exist, and not every publicly disclosed vulnerability is assigned a CVE.
Learn Vulnerability Management
Keeping up with the flood of new vulnerabilities is a challenge for any organization. In 2019 alone, an average of 61 new vulnerabilities were reported daily. Even though an organization would likely be affected by a fraction of these, it is necessary to check if each vulnerability is applicable; if it is, the organization must test the patch, apply it and verify that it is applied successfully. This assumes that an organization is currently up-to-date on patching, and many are not.
To alleviate the patching burden, many organizations use a triage process to prioritize patch application. However, it seems that often “the squeaky wheel gets the grease” and some systems are overlooked, making them and the organization vulnerable to exploitation.
Linux servers are a prime target of exploitation
When planning a cyberattack, the best targets are those that are easily exploited yet have a wealth of valuable information stored on them. Linux servers are an excellent target for cybercriminals for a variety of different reasons:
- Not user-facing: Linux servers typically are located in a data center or server room somewhere and have little or no direct interaction with users. This lack of direct interaction means that they often receive less of a security focus. If no one is logging into them on a regular basis or clicking on phishing emails on them, it is much easier to forget to check if they require any updates.
- High availability requirements: Servers typically must have very high availability since downtime means a loss of employee productivity or availability of customer-facing services. High availability requirements mean that the server is likely to be online and reachable when a cybercriminal is performing an attack and that vulnerability patching and other updates are harder to perform, since they require downtime to complete.
- Easy data exfiltration: Linux servers often comprise an organization’s back-end systems and either host databases or have access to them. An attacker with access to a Linux server can access this data, and command and control traffic and data exfiltration can easily be disguised as web traffic.
Cybercriminals leverage unpatched vulnerabilities for persistent access
The threat of cybercriminals exploiting Linux servers is not a theoretical one. A report by Blackberry researchers detailed how a cybercrime group linked to China has been engaged in a hacking campaign focused on Linux servers since 2012.
These cybercriminals gain access to Linux servers by scanning for ones with known vulnerabilities, exploiting these vulnerabilities and establishing a backdoor. Once on the system, the hackers target intellectual property and other sensitive data.
Hacking into systems to steal intellectual property is nothing new for many cybercrime groups. This particular campaign is interesting because of the vulnerabilities that the hackers exploit. The tools and techniques used by the hackers have largely not been updated since the beginning of the campaign and use vulnerabilities that have existed and have had patches available since 2012 and 2013.
The fact that this campaign is still active and successful demonstrates the fact that many organizations overlook or fail to patch vulnerabilities in their Linux servers. Otherwise, either the cybercrime group’s access would be limited to those machines that were exploited and had a backdoor installed when the vulnerabilities were new or the group would have been forced to update the tools and vulnerabilities in use to exploit Linux servers today.
Improving server security
Older vulnerabilities, such as the ones used by this cybercrime group, may seem unimportant or be forgotten since they do not appear on today’s list of the latest vulnerabilities. However, cybercriminals often actively exploit older vulnerabilities. Cybercrime is a business like any other, and it doesn’t make financial sense to invest time and resources in developing new exploits when the old ones work just as well.
Performing updates to close security holes consumes significant time and resources, but it is necessary for security. However, the burden of patching can be decreased by minimizing the attack surface (by uninstalling or disabling unneeded applications and functionality) and taking advantage of “virtual patching” functionality in firewalls or runtime application self-protection (RASP) solutions.
Learn Vulnerability Management
Sources
- 37.3% of Vulnerabilities in 2019 Had Available Exploit Code or a Proof of Concept, RiskBased Security
- CVE List Home, cve.mitre.org
- These hackers have been quietly targeting Linux servers for years, ZDNet
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
