Not long ago, the term “Linux protection” was closer to an oxymoron than a strategy. For security teams and vendors alike, Linux systems were seen as being either immune to cyber threats or not something threat actors targeted.
This made sense. After all, Linux is open source, and, compared to Windows, its codebase is tiny. Also, thanks to a dedicated fanbase, thousands of eyes are supposed to be constantly finding and removing bugs in every flavor of Linux distribution. All great reasons to put Linux server security on the bottom of any to-do list.
Unfortunately, perceptions of the near invulnerability of these Linux features have proven false. Ransomware may not have been a primary concern a few years ago. But today there are at least nine major ransomware families targeting Linux systems, including a Linux version of REvil, DarkSide, BlackMatter, and Defray777. Cryptojacking is also on the rise, and 89 percent of Linux cryptominers now use Monero cryptocurrency XMRig-related libraries. With 13 million detected attacks on Linux systems in the first half of 2021 alone, the idea that Linux systems are not a target for cybercriminals is simply no longer true.
Powering most of the world's largest websites, Linux has never been anything but important. However, since the pandemic shunted white collar workers into home offices, the surge in cloud computing dependency made Linux systems existentially important.
You’ll struggle to meet someone who uses desktop Linux. But every kind of business, organization, or service imaginable now uses Linux to power its cloud servers. At least 90 percent of the cloud runs on some kind of Linux distribution. It's almost impossible to do anything digitally without interacting with the world's foremost open-source OS.
Malware developers and cybercriminals have noticed Linux’s increasing market share. In 2010, a survey of Linux developers revealed 90 percent of Linux servers had never been infected by a virus. Today, the threat landscape could not be more different. 12 years ago there were less than 10 new Linux-focused malware families annually. By 2020, there were over 50—a 500 percent growth rate for new Linux malware strains.
Linux servers are now extremely attractive targets. They’re being recruited into botnets, turned into crypto miners, and infected with ransomware strains (e.g. LockBit) designed or adapted specifically for them. Between 2020 and 2021, the volume of malware and ransomware targeting Linux distributions rose another 35 percent. 2022 is already looking even worse.
Cybercriminals are riding a new wave of Linux-focused malware, much of which is compiled in the cross-platform Golang coding language. It’s helping make malware increasingly OS-agnostic. The TellYouThePass ransomware strain features 85 percent code similarity between the Windows and Linux versions.
Meanwhile, Linux servers are also being subjected to a barrage of fileless and in-memory attacks. This is a vector existing signature- or behavior-based Linux security solutions can’t easily defend against. Cybercriminals have even ported a version of hacked pen-testing tool Cobalt Strike to target Linux systems.
In this threat landscape, unprotected, exposed Linux servers are vulnerable to attack. Linux servers secured solely with traditional endpoint protection and detection solutions (EPP/EDR), or other poorly adapted defensive technologies, are not much safer. Moreover, these solutions usually use bloated agents that negatively impact server performance.
New breeds of Linux-focused fileless threats execute malware in memory. One example is the Ezuri memory loader uncovered by AT&T Alien Labs last spring. These threats can easily bypass detection focused solutions, including traditional signature-based and machine learning-based next-generation antivirus. Similarly, reactive EDR tools often miss advanced threats or spot them only when a Linux server environment is already compromised.
Linux-powered back-end systems—web servers, databases, and network file shares—need lightweight protection to ensure a smooth and speedy end-user experience. Linux protection must also cover known and unknown vulnerabilities. Open-source software is constantly evolving, making vulnerabilities a fact of life. Even when an organization works hard to find and bridge patch gaps, vulnerabilities will be present.
MTD overcomes traditional Linux security limitations by overhauling how threat mitigation happens. It doesn’t rely on scanners to find and stop a threat once it's already inside a system. Instead, MTD prevents threats from gaining access in the first place. Creating a dynamic attack surface by randomizing parts of the Linux Kernel API, Morphisec creates a false front skeleton to trap threats. At the same time, a unique command validation process means only trusted actions are allowed to happen.
All this means no threat—even a fileless attack—can find its mark and compromise a protected server. And critically for resource-constrained systems, Morphisec uses a lightweight agent that uses less than one percent of CPU or memory. Real-time Linux protection happens without compromising server performance or requiring shutdowns or reboots, ensuring non-disruptive attack prevention.
Gartner said MTD is one of the most impactful emerging technologies driving innovation in the security market. Morphisec uniquely brings MTD to Linux servers, turning the tables on threat actors targeting the open-source systems that power our world. To learn more, read the white paper, Linux Servers: How to Defend The New Cyberattack Frontier.