Hackers have set their sights on Linux SSH servers due to their prevalence in hosting critical services. Weak passwords, unpatched vulnerabilities, and misconfigurations serve as open doors for unauthorized access. AhnLab Security Emergency Response Center (ASEC) has uncovered active hacker assaults on these servers, deploying scanner malware.
Threat actors, keen on poorly managed servers, target SSH credentials for DDoS and CoinMiner malware deployment, intensifying cryptocurrency mining. As DDoS attacks amplify with controlled bots, the pursuit of target information heightens malware installations, bolstering the attacker’s arsenal. A wide array of malware finds a haven within these vulnerabilities: ShellBot, Tsunami, ChinaZ DDoS Bot, XMRig CoinMiner, Mirai, Gafgyt, and XorDDoS.
Hackers gain access using stolen SSH credentials, employing malware to initiate attacks. The modus operandi includes scanning for active SSH systems, downloading attack tools, and executing port scans and dictionary attacks. Results are stored for further exploitation, amplifying their access and control over compromised servers. The process entails intricate commands and tools, such as port scanners, banner grabbers, and SSH attack scripts, all orchestrated to leverage stolen credentials and infiltrate systems.
Recommendations for fortification include robust, regularly updated passwords, prompt patch installations, firewall utilization, and a cautious embrace of updated security versions. As these assaults evolve, safeguarding SSH servers requires continuous vigilance and robust cybersecurity measures.
