In today's conversation, Craig Rowland joins us to talk about the often overlooked significance of Linux as a key part of global communications and computing infrastructure, and discuss various types threats targeting Linux systems.

Malware, attackers, and techniques are often very distinct from those seen on Windows; Craig shares insights all of these from his extensive experience both writing and reverse-engineering Linux malware.

Craig is CEO of Sandfly Security, a New Zealand-based provider of Linux threat behavior scanning tools. Full disclosure: John Salomon is a paid consultant to Sandfly Security.

Notes from the video:

03:48 I can't find a source for the 95% figure, but a 2023 ZDNet article says 90%, which seems to be the most common figure: https://www.zdnet.com/article/linux-has-over-3-of-the-desktop-market-its-more-complicated-than-that/
03:55 Percentage of top million websites running Linux is another interesting statistic, which seems to be well above 90%. For example: https://gitnux.org/linux-statistics/
04:08 https://www.linuxinsider.com/story/the-flying-penguin-linux-in-flight-entertainment-systems-65541.html etc. etc.
05:54 France's Gendarmerie Nationale: https://en.wikipedia.org/wiki/GendBuntu
06:40 https://www.zdnet.com/article/linux-not-windows-why-munich-is-shifting-back-from-microsoft-to-open-source-again/
14:10 A propos, F5 has some interesting ways of using web shells as an attack vector: https://www.f5.com/labs/learning-center/web-shells-understanding-attackers-tools-and-techniques
14:40 "attacks on kubernetes" is a fun web search string. Same for "attacks on S3 buckets". Enjoy.
14:56 https://redis.io/solutions/messaging/
15:42 https://en.wikipedia.org/wiki/Patch_Tuesday
17:40 To be fair, Bob in Accounting is a pretty powerful entry point to the organization for various types of cyberattackers.
19:35 Mirai botnet: https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
19:37 NoaBot: https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining
20:35 Chroot (change root directory): https://wiki.archlinux.org/title/chroot
27:42 PuTTY: https://www.putty.org/
29:45 There are several cryptojackers that try to neutralize competing malware, e.g. ChaosRAT https://www.trendmicro.com/en_th/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html or Jenkins https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner
35:30 For example LockBit: https://www.akamai.com/blog/security/learning-from-the-lockbit-takedown
35:37 My mistake - AvosLocker is also a Linux port of Windows malware: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker - HiddenWasp may be a better example: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/hiddenwasp-malware-targets-linux-systems-borrows-code-from-mirai-winnti
35:42 Diamorphine LKM rootkit: https://github.com/m0nad/Diamorphine
36:44 https://core.vmware.com/esxi - an example is ESXiArgs ransomware: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a
38:42 Abuse.ch MalwareBazaar: https://bazaar.abuse.ch/
38:49 Fraunhofer FKIE Malpedia: https://malpedia.caad.fkie.fraunhofer.de
39:35 You could just run a Linux version of the virus aquarium: https://xkcd.com/350/
39:52 A few examples of VM detection: https://www.cynet.com/attack-techniques-hands-on/malware-anti-vm-techniques/
41:15 Joe Sandbox: https://www.joesandbox.com/
42:10 No I won't, because I can't find it. Bit of Baader-Meinhof going on there...
42:59 https://www.youtube.com/@SandflySecurity

Craig on LinkedIn: https://www.linkedin.com/in/craighrowland/
Sandfly Security: https://sandflysecurity.com

Check out the rest of CyAN's media channels on https://cybersecurityadvisors.network/media - and visit us at https://cybersecurityadvisors.network

Intro/outro music courtesy of Studio Kolomna via Pixabay: https://pixabay.com/users/studiokolomna-2073170/

Original video available at https://youtu.be/W-7edx7Le6Y?si=NOoOy1kF3KiVOPUe