VMware on Wednesday released research that says attackers now view injecting malware in Linux-based systems as their ticket to gaining access to multi-cloud environments.

In a blog post, the VMware research said ransomware has evolved to target Linux host images used to spin workloads in virtualized environments.

The research also found that 89% of cryptojacking attacks use XMRig-related libraries and more than 50% of Cobalt Strike users may be cybercriminals, or a least use Cobalt Strike illicitly.

Cybercriminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit to maximize their impact with as little effort as possible, said Giovanni Vigna, senior director of threat intelligence at VMware. 

“Rather than infecting an endpoint and then navigating to a higher value target, cybercriminals have discovered that compromising a single server can deliver the massive payoff and access they’re looking for,” said Vigna. “Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data. Unfortunately, current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks on Linux-based operating systems.”

Davis McCarthy, principal security researcher at Valtix, said cybercriminals look for an attack surface that’s an unpatched, always-on, publicly-available system, which perfectly describes the existing state of the cloud. McCarthy explained that Linux underpins cloud infrastructure because of how flexible it is at running a myriad of services: APIs, web applications, DevOps environments, and databases. This availability of customizable resources comes with technical debt, he said, leading to misconfigurations and a lack of security controls and processes. With Linux being a shared platform across cloud providers, threat actors benefit from improving their capabilities for the OS.

“XMRig is an open source, cross-platform, Monero cryptocurrency miner that can easily integrate into any campaign targeting a specific service or vulnerability,” explained McCarthy. “Cobalt Strike operates as a command-and-control framework that leverages programmable profiles for its Beacons. As threat actors move their ransomware campaigns from on-premises to the cloud, they need tools that scale their operations.”

John Bambenek, principal threat hunter at Netenrich, said compromised infrastructure is particularly useful to attackers who wish to use someone else’s resources to launch their attacks or otherwise obfuscate their identities.

“We will keep adopting new technologies in the Linux world that will introduce new vulnerabilities and problems for organizations,” Bambenek said. “We are only just now getting our hands around cloud asset management, and asset management is essentially the first step of any security program.”