Hackers have long been attacking and exploiting numerous Linux servers for stealing data and intellectual property theft. This was discovered by Blackberry, who claims the hacking group behind it could be Chinese state-backed authors. They initially scan for potential servers that are unpatched and with vulnerabilities, thus exploit them for data exfiltration and planting backdoors for future use.

Linux Servers Infected
Linux Servers Infected

Since 2012!

Researchers at Blackberry uncovered a new hacking campaign that’s large and been around since 2012. The actors behind this are linked to Chinese state-backed groups, as they’re using the Winnti malware. This was used back in the 2010s by Chinese groups as APT17 for stealing corporate secrets and sensitive data. These can help them aid in cloning the original products at cheaper prices.

Researchers tell that they’ve been in the dark since the early 2010s, as the tool hints left by them trace back to 2012. The malware tools used by them aren’t so sophisticated now. Further, the group has made it easy into those unpatched servers and didn’t even update their tools since deployed. Major servers targeted by these hackers were those of Red Hat Enterprise, Ubuntu or CentOS bases.

But Why Linux?

Linux isn’t that consumer-facing product. It is raw and used mostly by professionals for creating things, rather than just simply working or gaming or streaming movies. And the ones who’re using Linux would most probably be professionals. So for all these reasons, security companies won’t concentrate much on Linux. And if there are no tightened security solutions available, it would be easy to find and sneak in.

Unlike Windows, which gets regular updates and constant monitoring by antivirus software, servers won’t be regulated that much. And any traffic trespassing in and out shall be considered normal, even if it’s exfiltration of data to hackers C2 server. After all, researchers recommended the good old solution of applying patches whenever possible and checking for any suspicious activity periodically.

Via: ZDNet


Please enter your comment!
Please enter your name here