Ransomware operators expand the attack surface to Linux and beyond
Ransomware operators are increasingly expanding their reach into various components of modern IT infrastructure: from NAS storage, over workstations to servers and virtualization systems, all the way to cloud environments. Of course, Microsoft Windows has up until now been the main target due to its popularity and many opportunities for lateral movement.
But that is rapidly changing: according to Trend Micro's "2022 Midyear Cybersecurity Report", malicious actors are also expanding their attack reach by targeting one of the most powerful operating systems used in cloud platforms and servers worldwide – Linux. Trend Micro observes a 75% increase in Linux-based ransomware attacks in the first half of 2022 compared to 2021, suggesting that Linux systems become a prime target for ransomware-as-a-service operators.
The VMware hypervisor ESXi also had a rough first half of 2022. This year, Trend Micro discovered a new ransomware variant, called Cheerscrypt that targets ESXi servers and uses the popular double extortion tactic in which actors exfiltrate data prior to network encryption and then threaten to leak the stolen data as leverage during negotiations.
The popularity of ESXi servers, together with frequently discovered vulne
rabilities, make them an ongoing target. As organizations use ESXi to host multiple virtual machines (VMs), the impact of a successful attack against virtualization infrastructure can do great damage to an organization.
Beyond traditional servers and virtualization, Trend Micro also points to increasing exploitation of cloud environments. Cloud tunneling services such as ngrok can be used for legitimate purposes to quickly publish a local on-prem service over the internet, without changing network infrastructure or opening incoming ports.
There are many malicious ways these services can be exploited for access and lateral movement, especially if the exposed services use protocols such as Microsoft SMB, which were not designed to be exposed on the public internet.
As cloud services are increasing in complexity and popularity, errors in configuration become more likely. This means cloud misconfiguration will be a focus for threat actors. Again, a typical indicator is inadvertent exposure of services to the internet. Here, the report features an analysis of Kubernetes clusters kubelet APIs exposed online, which can allow attacker to install and run programs via this API.
Read the complete report here: Trend Micro 2022 Midyear Cybersecurity Report
