Dear Reader,

We in the Linux community are steeped in the conventional wisdom that Linux is much more secure than Windows. It is, of course, and it always has been, but then, that isn't saying much. The old versions of Windows that were around 20 years ago, when Linux was first starting to pick up steam, were really ridiculously insecure. Meanwhile, Microsoft kept bragging about how great Windows was and how you'd better be using it or you'd be left in the dust. The combination of Microsoft's engineering buffoonery and malicious marketing (they called Linux a cancer) gave the Linux community an attitude that remains to this day.

That attitude gave Linux developers an edge over the years when it came to competition and innovation, but the edge of attitude can be sharp and precipitous. Most Linux users are aware of the need to take standard security precautions, but there is also a tendency for denial among some of the Linux faithful about whether all that security advice really even applies to them. Ransomware? Privilege escalation? Must have been a Windows problem….

Well this isn't 2002 anymore. In many ways, Linux has already won the battle of the Internet. More Internet servers run Linux than any other system – even the Microsoft Azure cloud runs Linux servers. The pathetically low hanging fruit offered by systems like Windows 95 doesn't even exist anymore, which means that cybercriminals have to work harder to find a way inside. And once they start working harder, yes, they have found ways to get inside Linux.

The fact that Linux servers are so ubiquitous means that it is almost impossible for criminals to avoid them. In fact, it is getting to the point where cybercriminals need to attack Linux if they are going to continue to flourish. (OK, maybe "flourish" is too kind of a term, but you get my point.)

VMware's Threat Analysis Unit released a report recently about malware in Linux-based multi-cloud environments. The report [1], which is free for download if you enter your name and email address, focuses on ransomware and cryptomining attacks against cloud-based Linux instances. According to the report, "Threat actors know that current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to Linux-based attacks."

As you might expect, out-of-date and poorly managed Linux systems are considered the most vulnerable, but too often it seems that we don't really know which systems are "poorly managed" until it is too late. The report states that the most common threats "take advantage of weak authentication, vulnerabilities, and misconfigurations in container-based infrastructures to infiltrate the environment with remote access tools (RATs)."

Cobalt Strike is a commercial penetration testing tool that is also used by cybercriminals. The report outlines how attackers have implemented a Linux version of the Beacon implant used with Cobalt Strike in order to port the attack to Linux-based systems. Similar conversions are happening elsewhere as criminals adapt to a Linux-focused Internet.

The usual advice applies here as well as everywhere: Use strong passwords and keep your system up to date to prevent attackers from getting a foothold. But these time-honored measures aren't enough to protect your Linux cloud environment. The VMware team recommends "…complete visibility into all workloads with detailed system context that makes it easier to understand and prioritize mitigation efforts." They also say you should use an Endpoint Detection and Response (EDR) system that will monitor, collect data, and send automated alerts if anything is awry.

The important thing is, pay attention, and don't assume your Linux is safe just because it is safer than Windows. Linux might be the most secure system around, but you still need to do your homework, because danger is lurking behind the nearest cloud.

Joe Casad, Editor in Chief