- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Increase in attacks targeting Windows & Linux servers
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Increase in attacks targeting Windows & Linux servers
If everything you know about cyberattacks comes from news reports, you could be forgiven for thinking the sky was falling. Attacks that target large organizations happen every day, but they’re not all the kind of black swan events, like a major data breach, that can send a company’s fortunes (or stock price) tumbling and generate bad publicity. Many attacks are far more mundane, involving malware the SophosLabs team tracks in a sort of “Most Wanted” list of “The Usual Suspects”. But though these attacks, and some of the malware they deliver, are well understood and easily contained, every attack carries with it the potential to get far worse if it isn’t dealt with speedily and effectively. To carry the bird metaphor forward, these routine, everyday attacks represent canaries in the coal mine, an early indication of a toxic presence that could quickly spiral out of control. Attacks targeting Windows & Linux servers While the vast majority of security incidents we responded to in 2020 involved desktop or laptop computers running variations of Windows, we saw a steady increase in attacks on both Windows and non-Windows servers. In general, servers have long been attractive attack targets for a variety of reasons: They often run for long periods unattended or unmonitored; servers often carry more CPU and memory capacity than individual laptops; and servers may occupy a privileged space on the network, often having access to the most sensitive and valuable data in an organization’s operation. This makes them an attractive foothold for a persistent attacker. These characteristics won’t change in 2021 and Sophos anticipates the volume of attacks targeting servers will continue to increase. The majority of attacks targeting servers fit one of three profiles – ransomware, cryptominers and data exfiltration – each of which has a corresponding, distinct set of tactics and techniques the attackers employ. Best practices for server admins is to avoid running conventional desktop apps, like email clients or a web browser, from the server as a safeguard against infections, so attacks targeting servers necessarily require a shift in tactics. Internet-facing servers running Windows receive a never-ending barrage of RDP brute-forcing attempts, an attack tactic that, for at least the past three years, has been most often associated with (and predictive of) ransomware attacks. The Sophos Rapid Response team frequently finds that the root cause of ransomware attacks it investigates involve an initial access to the target’s network by means of RDP, and then the use of those machines to gain a foothold within the network and take control of DC servers, from which they can mount the rest of the attack. By contrast, cryptojacking attacks tend to target a wider range of vulnerabilities in Windows, and in applications that normally run on server hardware, such as database software. For instance, one method used by the Lemon_Duck cryptominer involves a brute-force attack against internet-facing servers running Microsoft SQL Server. Once the attackers guess the correct database password, they use the database itself to reassemble the cryptojacker payload, write it out to the server’s file system, and execute it. The infected machine then attempts to exploit the EternalBlue and/or SMBGhost vulnerabilities in a bid to spread the cryptojacker.