Trend Micro’s Linux Threat Report identifies the most vulnerable distributions and biggest security headaches

Analysts reviewed 13 million security incidents and found that end-of-life versions of Linux distributions were at the biggest risk.

linux.security.jpg

Linux now has been around long enough that old versions are causing security problems, according to a new report from Trend Micro. Security analysts found that 44% of security breach detections came from CentOS versions 7.4 to 7.9, followed by CloudLinux Server, which had more than 40% of the detections, and Ubuntu with almost 7%. CentOS 7 was first released in June 2014 and full support ended in August 2019.

Trend Micro detection data from the Linux Threat Report 2021 1H shows the top four Linux distributions where the top threat types were found:

  1. CentOS Linux:                    51%
  2. CloudLinux Server:            31%
  3. Ubuntu Server:                  10%
  4. Red Hat Enterprise Linux:   3%

SEE: The evolution of Linux on the desktop: Distributions are so much better today (TechRepublic) 

Trend Micro analyzed more than 13 million security events to identify the top 10 malware families and most common threat types. The top five threat types affecting Linux servers from Jan. 1 to June 30 were:

  1. Coin Miners:      25%
  2. Web shells:       20%
  3. Ransomware:   12%
  4. Trojans:             10%
  5. Others:               3%

About 40% of the detections came from the U.S., followed by Thailand and Singapore with 19% and 14%.

The data from the report comes from Trend Micro’s monitoring data from its security products and from honeypots, sensors, anonymized telemetry and other backend services. Trend Micro sees this data as an illustration of the real-world prevalence of malware and vulnerability exploitation in large and small companies across multiple industries. 

Most common OWASP and non-OWASP attacks

The report looked at web-based attacks that fit in the Open Web Application Security Project top 10 list as well as common attacks that are not on the list. The most common OWASP attacks are:

  1. SQL injection:                27%
  2. Command injection:      23%
  3. XSS                                22% 
  4. Insecure deserialization: 18%
  5. XML external entity:        6%
  6. Broken authentication:    4%

The data showed that injection flaws and cross-scripting attacks are as high as ever. The report authors also noted the high number of insecure deserialization vulnerabilities, which they see as partly due to the ubiquity of Java and deserialization vulnerabilities. The data analysis also found Liferay Portal, Ruby on Rails and Red Hat JBoss deserialization vulnerabilities. Magno Logan and Pawan Kinger wrote the report for Trend Micro and said:

“Attackers also try to use vulnerabilities where there is broken authentication to gain unauthorized access to systems. The number of command injection hits also came as a surprise as they are higher than what we would have expected.”

The report found that brute-force, directory traversal and request smuggling attacks are the three most prevalent non-OWASP security risks.

SEE: Rocky Linux release candidate is now available and is exactly what CentOS admins are looking for (TechRepublic) 

How to protect Linux servers

The report also reviewed security threats to containers and identified total vulnerabilities for the 15 most popular official Docker images on Docker Hub. This is what the list looks like:

Image                           Total vulnerabilities

Python                           482
Node                              470
WordPress                     402
Golang                           288
Nginx                             118
Postgres                          86
Influxdb                           85
Httpd                               84
Mysql                              76
Debian                           66
Memchached                 65
Redis                             65
Mongo                          47
Centos                         68
Rabbitmq                    30

To protect containers, the report authors recommend asking these questions:

  • How secure are the container images?
  • Can the container images be trusted?
  • Are the container images running with proper privileges?

Companies also should think about code security, the report recommends, and add these code security verifications to the development pipeline:

  • Static application security analysis
  • Dynamic application security analysis
  • Software composition analysis
  • Runtime application self-protection

The Trend Micro analysts recommend creating a multilayered security strategy that includes these elements:

  • Anti-malware
  • Intrusion prevention and detection system
  • Execution control
  • Configuration assessment
  • Vulnerability assessment and patching
  • Activity monitoring 

Also see