Moving into the Cloud: The Metamorphosis of Work and Malware
Taking proactive measures to address security concerns when moving work to the cloud.
The very idea of what constitutes “work” has undergone a metamorphosis over the past two years. Companies and their employees have proven incredibly adaptable, and our ability to thrive collaborating online, rather than in a shared physical working space, has ushered in a work-from-anywhere era.
It’s been an exciting time of accelerated digital transformation, but has the hasty shift into the cloud environment left organizations more vulnerable?
Overlooked gaps in cloud security
The reality is, for many organizations working in a cloud environment, security hasn’t been a primary concern. As people are working with tools and applications that weren’t designed to securely function in the cloud — resulting in overlooked gaps in cloud security — opportunities to exploit security vulnerabilities abound.
“Bad guys are always going to follow the money. They’re watching organizations moving into the cloud, and of course they’re going to follow that money,” says Charles DeBeck, Senior Cyber Threat Intelligence Analyst for IBM Security. “What we’re seeing across the board is threat actors investing heavily in cloud-focused malware.”
So perhaps it’s no surprise that malware, like work, is undergoing its own metamorphosis, with a growing emphasis on Linux malware innovation. Linux — the open-source code that supports cloud infrastructure and data storage — is believed to power around 90% of cloud workloads. As you can imagine, Linux malware presents an incredibly alluring and lucrative area of focus for threat actors.
Malware trends are on the rise
Although Linux malware trends have been increasing steadily since 2018, largely driven by the opportunities that crypto-mining presents, there’s been a sharper rise in recent years. Between 2019 and 2020, there was a 40% increase in Linux malware families, according to the latest data from the IBM Security X-Force Threat Intelligence Index (TII). In fact, this malware had a 500% growth from 2010 to 2020.
“Threat actors are realizing how valuable Linux malware is, so that is where they’re spending more time, ingenuity and resources,” says Camille Singleton, Manager, IBM X-Force Cyber Range Tech Team.
Linux malware saw a 146% increase in Linux ransomware with new code, according to the TII. And unique code increased in four out of five categories over the previous year. The banking industry experienced the greatest innovation increase — over tenfold — due to trojans. While Windows malware still makes up the vast majority of malware, the sheer volume of unique code suggests an ongoing trend.
Evasive, fileless malware lurking in memory can elude standard detection tools by exploiting legitimate scripting languages and sidestepping the use of signatures. Often used in Windows-based attacks, fileless malware is entering into the cloud with Ezuri, an open source crypter and memory loader written in Golang.
New malware suite focuses on Linux
IBM Security X-Force research in the Threat Intelligence Index (TII) highlighted the development of a new malware suite dubbed Vermillion Strike, which provides attackers with remote access capabilities. Based on the popular penetration testing tool Cobalt Strike, Vermillion Strike is designed to run on Linux systems.
The creation of Vermillion Strike shows that attackers are planning to expand human-operated attacks executed through Cobalt Strike to Linux systems, which may help them evade detection within enterprises. This development highlights the continued migration to malware targeting Linux and indicates that ongoing operations outside of Windows environments will continue into the future.
“Where Vermillion Strike is interesting for Linux is that it shows that there is an intent to increase the use of Linux systems during human-operated attacks,” says John Dwyer, Head of Research, X-Force. “For the past few years, Linux attacks have been mostly focused on delivering a cryptominer, ransomware or web shell often through automated mechanisms. But with Vermillion Strike, it offers attackers the opportunity to easily incorporate Linux systems into larger enterprise attacks for things like lateral movement and persistence by incorporating those systems within the Cobalt Strike C2 framework.”
To limit breaches, shift your mindset to a zero-trust philosophy
Cloud migration was an urgent answer to an urgent need. It’s understandable that security was an afterthought as organizations quickly mobilized a work-from-home model. Now, in this work-from-anywhere era, security officers should concentrate on implementing more robust cybersecurity tools and strategies, such as Identity Access Management (IAM).
In the work-from-anywhere world, the perimeter is a person, not a place; organizations need to shift their security mindset. Implementing a zero-trust philosophy can connect the right users to the right data at the right time under the right conditions, while also protecting your organization from cyberthreats.
Whether in a cubicle or in the cloud, on a Microsoft or Linux platform, taking proactive measures to limit access is one of the most effective ways to limit a security breach.