In today's conversation, Craig Rowland joins us to talk about the often overlooked significance of Linux as a key part of global communications and computing infrastructure, and discuss various types threats targeting Linux systems.  

Malware, attackers, and techniques are often very distinct from those seen on Windows; Craig shares insights all of these from his extensive experience both writing and reverse-engineering Linux malware.

Craig is CEO of Sandfly Security, a New Zealand-based provider of Linux threat behavior scanning tools.  Full disclosure:  John Salomon is a paid consultant to Sandfly Security.

Notes from the video:

03:48 I can't find a source for the 95% figure, but a 2023 ZDNet article says 90%, which seems to be the most common figure:  https://www.zdnet.com/article/linux-has-over-3-of-the-desktop-market-its-more-complicated-than-that/
03:55 Percentage of top million websites running Linux is another interesting statistic, which seems to be well above 90%.  For example:  https://gitnux.org/linux-statistics/
04:08 https://www.linuxinsider.com/story/the-flying-penguin-linux-in-flight-entertainment-systems-65541.html etc. etc.
05:54 France's Gendarmerie Nationale:  https://en.wikipedia.org/wiki/GendBuntu
06:40 https://www.zdnet.com/article/linux-not-windows-why-munich-is-shifting-back-from-microsoft-to-open-source-again/
14:10 A propos, F5 has some interesting ways of using web shells as an attack vector:  https://www.f5.com/labs/learning-center/web-shells-understanding-attackers-tools-and-techniques
14:40 "attacks on kubernetes" is a fun web search string.  Same for "attacks on S3 buckets".  Enjoy.
14:56 https://redis.io/solutions/messaging/
15:42 https://en.wikipedia.org/wiki/Patch_Tuesday
17:40 To be fair, Bob in Accounting is a pretty powerful entry point to the organization for various types of cyberattackers.
19:35 Mirai botnet:  https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
19:37 NoaBot:  https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining
20:35 Chroot (change root directory):  https://wiki.archlinux.org/title/chroot
27:42 PuTTY:  https://www.putty.org/
29:45 There are several cryptojackers that try to neutralize competing malware, e.g. ChaosRAT https://www.trendmicro.com/en_th/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html or Jenkins https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner
35:30 For example LockBit:  https://www.akamai.com/blog/security/learning-from-the-lockbit-takedown
35:37 My mistake - AvosLocker is also a Linux port of Windows malware:  https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker - HiddenWasp may be a better example:  https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/hiddenwasp-malware-targets-linux-systems-borrows-code-from-mirai-winnti
35:42 Diamorphine LKM rootkit:  https://github.com/m0nad/Diamorphine
36:44 https://core.vmware.com/esxi - an example is ESXiArgs ransomware:  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a
38:42 Abuse.ch MalwareBazaar:  https://bazaar.abuse.ch/
38:49 Fraunhofer FKIE Malpedia:  https://malpedia.caad.fkie.fraunhofer.de
39:35 You could just run a Linux version of the virus aquarium:  https://xkcd.com/350/
39:52 A few examples of VM detection:  https://www.cynet.com/attack-techniques-hands-on/malware-anti-vm-techniques/
41:15 Joe Sandbox:  https://www.joesandbox.com/
42:10 No I won't, because I can't find it.  Bit of Baader-Meinhof going on there...
42:59 https://www.youtube.com/@SandflySecurity

Craig on LinkedIn:  https://www.linkedin.com/in/craighrowland/
Sandfly Security:  https://sandflysecurity.com

Check out the rest of CyAN's media channels on https://cybersecurityadvisors.network/media - and visit us at https://cybersecurityadvisors.network

Intro/outro music courtesy of Studio Kolomna via Pixabay: https://pixabay.com/users/studiokolomna-2073170/

Original video available at https://youtu.be/W-7edx7Le6Y?si=NOoOy1kF3KiVOPUe