Trend Micro Linux Threat Report Identifies Most Vulnerable Distributions and Biggest Security Issues
Analysts looked at 13 million security incidents and found that end-of-life versions of Linux distributions were most at risk.
Linux has now been around long enough that older versions pose security concerns, according to a new report from Trend Micro. Security analysts found that 44% of security breach detections were from CentOS versions 7.4 through 7.9, followed by CloudLinux Server, which had over 40% of detections, and Ubuntu with almost 7%. CentOS 7 was first released in June 2014 and full support ended in August 2019.
Trend Micro’s detection data from Linux Threat Report 2021 1H shows the four main Linux distributions where the main types of threats were found:
- CentOS Linux: 51%
- CloudLinux Server: 31%
- Ubuntu server: 10%
- Red Hat Enterprise Linux: 3%
SEE: The Evolution of Linux on the Desktop: Distributions Are So Much Better Today (TechRepublic)
Trend Micro has analyzed over 13 million security events to identify the top 10 malware families and the most common types of threats. The top five types of threats affecting Linux servers from January 1 to June 30 were:
- Parts miners: 25%
- Web shells: 20%
- Ransomware: 12%
- Trojans: 10%
- Others: 3%
About 40% of detections came from the United States, followed by Thailand and Singapore with 19% and 14%.
The data for the report comes from Trend Micro’s monitoring data of its security products and honeypots, sensors, anonymized telemetry, and other backend services. Trend Micro views this data as an illustration of the true prevalence of malware exploitation and vulnerabilities in businesses large and small across multiple industries.
Most common OWASP and non-OWASP attacks
The report looked at the web-based attacks that are on the Top 10 Open Web Application Security Projects list as well as common attacks that are not on the list. The most common OWASP attacks are:
- SQL injection: 27%
- Command injection: 23%
- XSS 22%
- Unsecured deserialization: 18%
- XML external entity: 6%
- Broken authentication: 4%
Data has shown that injection vulnerabilities and cross-scripting attacks are higher than ever. The authors of the report also noted the high number of insecure deserialization vulnerabilities, which they see as due in part to the ubiquity of Java and deserialization vulnerabilities. Analysis of the data also revealed deserialization vulnerabilities in Liferay Portal, Ruby on Rails, and Red Hat JBoss. Magno Logan and Pawan Kinger wrote the report for Trend Micro and said:
“Attackers are also trying to use the broken authentication vulnerabilities to gain unauthorized access to systems. The number of command injection hits was also a surprise as they are higher than what we expected. were waiting. ”
The report found that brute force attacks, directory browsing, and request smuggling are the three most common non-OWASP security risks.
SEE: Rocky Linux release candidate is now available and is exactly what CentOS admins are looking for (TechRepublic)
How to protect Linux servers
The report also looked at security threats to containers and identified the total vulnerabilities of the 15 most popular official Docker images on Docker Hub. Here’s what the list looks like:
Image Total vulnerabilities
Influx db 85
To protect containers, the report’s authors recommend asking yourself these questions:
- How secure are container images?
- Are container images reliable?
- Are the container images running with the correct privileges?
Companies should also think about code security, the report recommends, and add these code security checks to the development pipeline:
- Static analysis of application security
- Dynamic analysis of application security
- Software composition analysis
- Self-protection of the runtime application
Trend Micro analysts recommend creating a multi-layered security policy that includes the following:
- Intrusion prevention and detection system
- Execution control
- Configuration evaluation
- Vulnerability assessment and patches
- Activity monitoring