Alert essentials:
Traditionally hackers targeted mostly Microsoft Windows operating systems. Sometime later, Apple and Mac became lucrative targets for bad actors. Now threat actors are targeting Linux and Unix (*nix) based devices. Scan and patch Linux and Unix systems immediately, as attacks are on the rise!

Email Team

Detailed threat description:
Threat actors have focused primarily on exploiting Windows OS, and the *nix operating systems have been less popular targets. Writing exploit code is time-consuming. Considering Microsoft has had 90% of the computer market for years, writing exploits and targeting those systems increases the probability of success for threat actors. Thus, their efforts are more lucrative.

However, that has changed over the years since cloud environments began making Linux and Unix-based systems more available and useful for many reasons. Like with Microsoft, the more prevalent the OS, the more opportunity threat groups have to spend their time against them. Palo Alto reports that malicious files targeting Linux-based systems have increased by almost 50% from December 2022 to May 2023. Notorious groups like Cl0p, Hive, and Blackcat are writing ransomware and malware that are easy to customize for Linux-based systems. REvil, Tycoon, QNAPcrypt, and Darkside are ransomware samples that have released Linux versions.

What’s worse is that the attack on these systems has been building for years, just like the idea that these operating systems are safe. Due to the strong attention to patching from open-source groups, Linux has traditionally remediated flaws quickly. And therefore, it has been considered mostly safe from a security standpoint. But the cybersecurity landscape is changing and threatening the *nix systems. We must adapt to that change by patching and hardening Unix/Linux-based systems. Ignoring the security of these systems any longer promises to bring catastrophic results.

Impact on healthcare organizations
Many sensitive infrastructures and cloud environments utilize the Linux operating system. Like the Microsoft Windows Operating system, ransomware will lock Unix and Linux systems making the critical systems unavailable for patient care or business use. Depending on recovery procedures and incident response readiness as networks recover the affected systems, effects will linger for weeks or months. Meanwhile, reputations could suffer, patient data could be leaked, and extortion will be a factor for years to come.

The possibilities of attacks on *nix systems will continue to grow, but the goal remains the same, attack and extort for monetary gain.

Affected products / versions

  • Linux-based operating systems


Engineering recommendations:

  • Scan *nix systems using credentialed scans – commonly provided in the form of SSH credentials
  • Patch and upgrade Linux operating systems identified as vulnerable
  • Check Linux/Unix system configurations for default or weak passwords to include root users
  • Disable booting from external sources
  • Enable SELinux in the ‘/etc/selinux/config’ file
  • Update repositories and applications
  • Avoid using unencrypted protocols on any operating system
  • Encrypt data transfers
  • Disable root login and unwanted services / assign complex passwords for root users
  • Closed unused ports
  • Operating systems in the minority, such as Linux, should be treated like the majority, such as

Leadership / Program recommendations:

  • Add scanning of Linux and Unix systems to routine vulnerability scanning
    Most importantly – upgrade to the most recent version of these operating systems
  • More critical systems tend to run on Linux; this could provide hackers with information more damaging to businesses and significantly increase ransomware payouts

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.