Pierluigi Paganini
December 27, 2023
Researchers at AhnLab Security Emergency Response Center (ASEC) are warning about attacks targeting poorly managed Linux SSH servers, primarily focused on installing DDoS bots and CoinMiners.
In the reconnaissance phase, the threat actors perform IP scanning to look for servers with the SSH service, or port 22 activated, then launch a brute force or dictionary attack to obtain the ID and password.
Threat actors can also install malware to scan, perform brute force attacks, and sell breached IP and account credentials on the dark web.
Common malware used in attacks against poorly managed Linux SSH servers include ShellBot [1][2], Tsunami [3], ChinaZ DDoS Bot [4], and XMRig CoinMiner [5].
Once successfully logged in, the threat actor first executed the following command to check the total number of CPU cores.
| > grep -c ^processor /proc/cpuinfo |
“The execution of this command signifies that the threat actor has obtained the account credentials. Afterward, the threat actor logged in again using the same account credentials and downloaded a compressed file.” reads the analysis published by ASEC. “The compressed file contains a port scanner and an SSH dictionary attack tool. Additionally, commands accidentally typed by the threat actor can be seen, such as “cd /ev/network” and “unaem 0a”.”
These researchers believe that the tools employed in the attacks are based on the ones that have been created by the PRG old Team. Each threat actor created its custom version of the tools by modifying them.
The researchers recommend administrators should use strong passwords that are difficult to guess and change them periodically. These measures should protect the Linux SSH servers from brute force attacks and dictionary attacks. The experts also recommend updating to the latest patch to prevent attacks exploiting known vulnerabilities.
“Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Linux SSH servers)
