Threat to Windows and Linux cannot be really put in the same basket

Twice in the space of three months, researchers from BlackBerry have put out studies pushing claims about malware and ransomware that is alleged to attack Linux, giving the impression that this operating system is also under as much threat as Windows.

But both studies contained little to justify these conclusions; the second, issued in the first week of June, contained the word Linux thrice, in two sentences. One of these was the line: “Tycoon is a multi-platform Java ransomware targeting Windows and Linux that has been observed in-the-wild since at least December 2019.”

And the other was: “The malicious JRE build contains both Windows and Linux versions of this script, suggesting that the threat actors are also targeting Linux servers.”

The rest of the study, that runs to about 1500 words (not counting text in illustrations and tables), was solely about the Windows version of what the researchers claimed was a new form of ransomware known as Tycoon.

The earlier study, issued in April, claims that groups connected to China were targeting Linux servers with malware, with the claim resting on the reported discovery of a previously unidentified Linux malware toolset which included two kernel-level rootkits that made it difficult to identify executables.

But the study contained no information as to how this malware gained a foothold on these servers, surely an important step in the attack process. On asking, this response was elicited: “The rootkits were installed by way of an interactive bash script, which in some cases reached out to an online build server to determine particulars about the target system (distro, kernel version, etc) before delivering a bespoke rootkit and backdoor.” The vulnerabilities in the Linux kernel that were remotely exploited in this manner were not specified; it must be noted that such a class of flaws are very rare for Linux.

The reply added: “There are several ways in which the installation script could have landed on the server, including brute force SSH attack (a technique reportedly used by the botnet to spread itself), physical access to the server (espionage operations are not always exclusively digital), or any other of the myriad ways in which admin credentials for servers are compromised and then used to log in.”

The second study was authored by the BlackBerry Research and Intelligence Team and KPMG’s UK Cyber Response Services Team. It was not sent to iTWire; I spotted a number of articles based on it which hyped up the Linux threat. The American site ZDNet had this: “This new ransomware is targeting Windows and Linux PCs with a ‘unique’ attack”, an inaccurate characterisation.

Bleeping Computer, which claims to specialise in the reporting of malware and ransomware, was no better, with its headline reading: “New Tycoon ransomware targets both Windows and Linux systems”.

Strictly speaking, one did not need to speak to anyone from the company as an op-ed was planned. But one gave BlackBerry the benefit of the doubt and sought clarifications. The company offered a chat with Eric Milam, vice-president of GUARD Services, and Claudiu Teodorescu, director of Threat Research and Intelligence.

Milam was part of Cylance, the security firm that BlackBerry acquired to get into the business. My one encounter with Cylance was not very edifying, to say the least.

The pair said that the information they had received for the study came from KPMG and was from an incident response to one of that company’s clients. Thus, they could only go on what they had – though this was not specified in their study.

They justified the “Linux threat” by saying that there was a version of a shell script written for Linux, and this suggested that Linux was also being targeted.

It was pointed out to them that in contrast to the vast amount of information concerning the Windows version of ransomware, there was more or less nothing about the Linux version and thus such a conclusion was overblown. It was suggested to them that a little more clarification in the study about the fact that they had nothing apart from this one script to go on when it came to Linux would have prevented the sweeping headlines that resulted.

Security companies benefit from the fear that is created around the use of various computing platforms as they sell services and products aimed at quelling these fears. With Windows, the limit has been reached because the problems that that system faces cannot get any worse. The baby of the late Paul Allen and Bill Gates has spawned a multi-billion industry that has sprung up to act as a support system for Windows, a system that came from a company which is a marketing firm first, and a technology company a poor second.

Thus, it is not surprising that companies try to hype up the threat around Linux. If only one could sell half the services around Linux that are sold around Windows, it would make for some handy revenue in an over-crowded market.

Some technology writers help in this enterprise, perhaps out of ignorance or sheer laziness. And, of course, there is the fact that Linux and malware/ransomware in a headline serves as clickbait, a fact I have dealt with in some detail here.

But then one, perhaps, cannot blame BlackBerry too much; their “studies” are meant to serve as marketing material for the company’s services. The writers should carry more of the blame for not reading what they reported on.

The security industry has a history of hyping up threats based on little or no evidence. When the first attributions were made to link a country to malware by Kevin Mandia in 2013, nobody pointed out the difficulty in attribution. His company, Mandiant, became well-known as a result of this and was later bought by FireEye.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.