Heimdal
article featured image

Contents:

Threat actors brute-forced Linux SSH servers to deploy Tsunami DDoS bot, ShellBot, log cleaners, privilege escalation tools, and an XMRig (Monero) coin miner.

Hackers port scanned for publicly exposed Linux SSH servers and brute-forced username-password pairs to log in to the server. Improperly secured servers were vulnerable to the attack.

More about the Attack on Linux SSH Servers

After gaining admin user rights on the endpoint, threat actors run a malicious command to execute various malware via a Bash script.

Source

To maintain access, hackers created a new pair of public and private SSH keys for the breached server. Among the deployed malware there were log cleaners, cryptocurrency miners, privilege escalation tools, and two types of DDoS botnets:

  • ShellBot is a Pearl-based DDoS bot that supports port scanning, UDP, TCP, and HTTP flood attacks. In addition, it can set up a reverse shell.
  • Tsunami is another DDoS botnet malware that also uses the IRC protocol to exfiltrate data to the C2 server and get instructions from it. It is also known as Kaiten and is one of the malware strains that have been distributed together with Mirai and Gafgyt. Tsunami is often used in attacks targeting IoT devices.

Tsunami persists between reboots by writing itself on “/etc/rc.local” and uses typical system process names to hide.

Besides SYN, ACK, UDP, and random flood DDoS attacks, Tsunami also supports an extensive set of remote control commands.

Source

How to Protect Against Similar Attacks

Security specialists have several recommendations for Linux users, to bolster servers` safety.

  • enforce strong passwords,
  • use SSH keys to log in to the SSH server,
  • disable root login through SSH,
  • only allow a limited number of IP addresses to access the server,
  • change the default SSH port to an atypical one, so bots and infection scripts miss it.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE