Cybercrime , Fraud Management & Cybercrime
Attackers Subvert Linux SSH Servers to Mine Cryptocurrency
Wave of Attacks Utilizes ShellBot, Tsunami, ChinaZ DDoS Bot, XMRig CoinMinerHackers are targeting Linux Secure Shell servers to install tools for port scanning and dictionary attacks to compromise other vulnerable servers, forming a network for cryptocurrency mining and distributed denial-of-service attacks.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Researchers at AhnLab Security Emergency Response Center analyzed attack campaigns in which hackers performed IP scanning to look for servers with the SSH service or port 22 activated, after which they launch a brute force or dictionary attack to obtain the ID and password.
"Besides DDoS bots and CoinMiners, threat actors can also install malware that performs such scanning and brute force or dictionary attacks in infected systems, which allows them to take advantage of more vulnerable systems. Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web," the researchers said.
AhnLab researchers identified common malware installed in attacks on Linux SSH servers with poor management, including ShellBot, Tsunami, ChinaZ DDoS Bot and XMRig CoinMiner.
Attack Analysis
Before installing malware, threat actors attempt to log into Linux servers with activated SSH service using an ID and password. After logon, they install malware.
In one recent case, the threat actor opted to install additional scanners instead of malware, likely to identify more vulnerable systems.
After login, the threat actor's first step has been to determine the number of CPU cores on the compromised server. The hacker also obtains account credentials, allowing them to log in again using those credentials and to downloaded a compressed file, which includes a port scanner and an SSH dictionary attack tool.
During analysis of malware used in the attack campaign, the researchers found that the hackers had executed a Bash script named go
with the argument 212
. The go
script is responsible for launching the port scanner, banner grabber and SSH dictionary attack tool, in that order.
"When the port scanner is launched, the IP band and port number to scan for must be given as arguments. The port number is set to 22 (SSH) and the transmitted IP band value is used for the IP A class band," the researchers said.