One of the Linux ‘selling points’ has always been about how secure Linux is when compared to Windows. Another infamous ‘selling point’ has been that most of the world’s servers run Linux, which is not much of a ‘selling point’ for using Linux desktop, IMHO. BTW, I will be adding this post to the newly created Linux Security Issues page, so that potential Linux Desktop users have another source of info available in case they want to do some research on any Linux ‘selling points’. One of the first posts added to that page yesterday was – Microsoft helping Linux with Security – ‘Microsoft Defender ATP for Linux’.
SophosLabs has just published a detailed report about a malware attack dubbed Cloud Snooper.
The reason for the name is not so much that the attack is cloud-specific (the technique could be used against pretty much any server, wherever it’s hosted), but that it’s a sneaky way for cybercrooks to open up your server to the cloud, in ways you very definitely don’t want, “from the inside out”.
I mentioned Sophos as being one of the apps that provide protection for Linux in the above mentioned post. Linux being a “totally secure OS” is no longer an honest ‘selling point’ for Linux, and it hasn’t been an honest one for a long long time.
In the course of investigating a malware infection of cloud infrastructure servers hosted in the Amazon Web Services (AWS) cloud, SophosLabs discovered a sophisticated attack that employed a unique combination of techniques to evade detection and that permits the malware to communicate freely with its command and control (C2) servers through a firewall that should, under normal circumstances, prevent precisely that kind of communication from reaching the infected server.
We have published an in-depth report on the attack, which we have named Cloud Snooper.
Though we discovered the technique in use on AWS, the problem is not an AWS problem per se. It represents a method of piggybacking C2 traffic on a legitimate traffic, such as normal web traffic, in a way that can bypass many, if not most, firewalls.
The complexity of the attack and the use of a bespoke APT (Advanced Persistent Threat) toolset gives us reason to believe that the malware and its operators were an advanced threat actor, possibly nation-state sponsored.
The compromised systems were running both Linux and Windows EC2 instances.
OK…apparently this “Cloud Snooper” can get into any server, i.e. not just Cloud based servers, and the “technique” used is not just limited to AWS (Amazon Web Services). Security involves a lot more than foolishly believing that Linux is a secure OS, just because some Linux developer or user tells you it is secure. Baloney…if you go online/internet and/or have your computer plugged into an electrical outlet, then you are not secure. Linux is certainly not as secure as Windows 10 with its Windows Security on, unless that Linux OS is being protected by some third party security app. If Linux Servers can be breached, then so can the Linux Desktop…so can Clouds…so can Containers…and so can IoT (Internet of things) devices.
Amazon Web Services first launched in 2006 with one instance and one operating system: Amazon Linux. The cloud computing giant has since expanded to offer customers the option of running on more than 30 instance types and more than 10 operating systems, but Linux, Xen and other open source projects remain the core technologies behind AWS.
That article is from 2014 by The Linux Foundation. I’ve never trusted the “Cloud,” but these types of security attacks are not limited to the “Clouds.” My lack of trust in cloud-usage goes back to an old 2006 Asus MoBo that would somehow use up large chunks of DATA if Express Gate™ was left on – never understood it, but a “Cloud” was involved. I kept it off, but had to double-check at bootup to make sure it was off:
ASUS Express Gate is a technology developed by ASUS and introduced with their P5E3 series that utilizes Splashtop, which is a Linux environment that is integrated into the motherboard.
Here is the full Sophos investigation of the attack (a .pdf file): Cloud Snooper attack bypasses firewall security measures
Apparently in this case, the Cloud Snooper’s set of “tools” started with its Linux malware “tool” first:
Am certainly no expert, so a lot of this is confusing, but I found it interesting that malware has “tools” to use for attacks … i.e. the more sophisticated the malware the more major “tools” it has available to use and choose from.
Whether you’re a Linux user or not, you must have heard the buzzword about the Linux — “Best OS for security.” Well, it is true, but being a computer program, Linux also has some downside that challenges its security.
Ditto on the earlier Baloney statement! I stopped reading that article the moment I saw another bogus Linux ‘selling point’ being pushed. From now on, I will disregard any article, any blog post, etc that attempts to suggest that Linux is a more secure OS than Windows 10. As pointed out in an earlier post, Microsoft helping Linux with Security – ‘Microsoft Defender ATP for Linux’, Microsoft is actually helping Linux to understand the security problems that they/all are facing now and in the future!
- That was posted on February 4, 2020, but I basically ignored it because Linux had suckered me into believing that Linux was a “secure OS.” Those days are now over…