Six Types of Attacks on Linux Devices that Organizations Should be Aware of


Linux devices (endpoints, servers, IoT) are a very attractive target for hackers, but currently their protection leaves much to be desired.

“Malware for Linux is too underestimated. Since most cloud hosts run Linux, the ability to compromise Linux-based platforms allows attackers to gain access to a huge amount of resources or cause serious damage using extortionate software and vipers,” Giovanni Vigna, senior director of Threat Intelligence Collection at VMware, told CSOonline.

Below are six types of attacks on Linux devices that organizations should be aware of.

Ransomware attacks on Virtual Machine images

In the last few years, ransomware operators have begun to pay more attention to Linux environments, including such sensational groups as Conti, DarkSide, REvil and Hive.

As a rule, ransomware attacks on cloud environments are carefully planned. According to VMware, before encrypting files, cybercriminals try to completely compromise the attacked network.

Recently, groups like RansomExx/Defray777 and Conti have started attacking Linux host images used for workloads in virtualized environments. They are particularly interested in encrypting virtual machine images on ESXi hypervisors, since they can significantly affect their operations.


Cryptojacking (hacking systems in order to use their resources for mining cryptocurrencies) is one of the most common types of cyber attacks on Linux systems, because it allows you to quickly make a profit. The most commonly used mining malware families are XMRig and Sysrv. According
to SonicWall, there are an average of 338 cryptojacking attempts per client’s network.

In attacks, hackers often use default password lists, bash exploits or exploits specifically designed to attack systems with incorrect configurations (directory traversal, remote inclusion of files, incorrectly configured processes with factory settings, etc.).

Attacks on IoT devices using XorDDoS, Mirai and Mozi malware

The simplicity of Linux-based IoT devices, with a few exceptions, makes them an attractive target for hackers. According
to the information technology company CrowdStrike, in 2021, the number of malware attacking devices running Linux has decreased by 35% compared to 2020. XorDDoS, Mirai and Mozi malware account for 22% of attacks. They infect devices and make them part of a botnet to carry out DDoS attacks.

According to the report
Global Threat Landscape Report of the Fortinet information Technology company, the activity of the most successful botnets remains unchanged over time. The company’s specialists found that the malware authors are making a lot of efforts to make their creations resistant to device reboots.

Attacks by hacker groups funded by governments

Experts tracking the activities of so-called government hackers also record an increase in the number of attacks on Linux environments. The increase in the number of attacks coincided with the Russian-Ukrainian conflict, Intezer researcher Ryan Robinson said. As reported by
Cybersecurity company Cyfirma, a few days before the Russian Federation introduced its troops into the territory of Ukraine, the Russian APT group Sandworm allegedly attacked Linux systems in the UK and the USA.

Microsoft and Mandiant specialists drew attention to the fact that many groups working for the governments of China, Iran and North Korea exploit the sensational vulnerability in the Log4j logging utility for attacks on Windows and Linux systems in order to gain access to the attacked networks.

File-free attacks

Security researchers from AT&T’s Alien Labs have discovered that many cybercriminal groups, including TeamTNT, have started using Ezuri, an open source tool written in Golang, to encrypt malicious code. When decrypting, the payload is executed directly from memory, leaving no traces on the disk, which makes it difficult for antivirus software to detect such attacks.

TeamTNT most often attacks Docker systems with incorrect configurations in order to install DDoS bots and cryptominers.

Linux malware attacks on Windows machines

Malware for Linux can also
attack Windows machines via Windows Subsystem for Linux (WSL), a feature
that allows files for Linux to run
on Windows OS. WSL must
be installed manually or through the Windows Insider program, but attackers can install it themselves if they
managed to increase their privileges on the attacked system.