Careless oversight of Linux SSH servers draws cryptominers, DDoS bots

Omega Balla
Cybercriminals are targeting poorly managed Linux SSH servers to install malware for cryptomining or carrying out distributed denial-of-service attacks, researchers have found.

Cybercriminals are targeting poorly managed Linux SSH servers to install malware for cryptomining or carrying out distributed denial-of-service attacks, researchers have found.

According to a report by AhnLab released this week, bad password management and lax vulnerability patching can allow hackers to exploit the servers for cybercrime.

SSH servers provide secure remote access to a computer or server over a network. Once compromised, they can allow threat actors to infiltrate even more SSH servers and install additional malware. The more servers the hackers control, the more crypto they can mine, or the bigger their DDoS attacks can become.

Before installing such malware, threat actors need to obtain information on their targets, including the IP address and SSH account credentials. They perform IP scanning to identify servers with the SSH service and then use familiar tools to gather credentials, the researchers said.

The two methods are dictionary attacks, in which attackers try to gain unauthorized access to a system by using a large set of predefined words as potential passwords; and brute-force attacks, in which the hackers try all possible combinations of passwords until the correct one is found.

The malware strains found by AhnLab include ShellBot, Tsunami, ChinaZ DDoS Bot and XMRig CoinMiner. Threat actors can also choose to install only scanners, instead of malware, and sell the breached IP and account credentials on the dark web.

The researchers didn’t specify a particular threat actor behind these attacks. However, they noted that various hacker groups have employed port scanners and SSH dictionary attack tools in the past, with each group using slightly different tools and files, including lists of account credentials.

AhnLab recommends that administrators maintain strong passwords, keep their server software patched and add security programs such as firewalls.

CybercrimeMalwareTechnologyBriefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Microsoft disables app installation protocol abused by hackers

Next Post

Cyberattack on Massachusetts hospital disrupted records system, emergency services

Related Posts

New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics

A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it's likely associated with the North Korean state-sponsored group tracked as Kimsuky. "The malware payloads used in the DEEP#GOSU represent a
Avatar
Read More