Threat actors brute-forced Linux SSH servers to deploy Tsunami DDoS bot, ShellBot, log cleaners, privilege escalation tools, and an XMRig (Monero) coin miner.
Hackers port scanned for publicly exposed Linux SSH servers and brute-forced username-password pairs to log in to the server. Improperly secured servers were vulnerable to the attack.
More about the Attack on Linux SSH Servers
After gaining admin user rights on the endpoint, threat actors run a malicious command to execute various malware via a Bash script.
To maintain access, hackers created a new pair of public and private SSH keys for the breached server. Among the deployed malware there were log cleaners, cryptocurrency miners, privilege escalation tools, and two types of DDoS botnets:
- ShellBot is a Pearl-based DDoS bot that supports port scanning, UDP, TCP, and HTTP flood attacks. In addition, it can set up a reverse shell.
- Tsunami is another DDoS botnet malware that also uses the IRC protocol to exfiltrate data to the C2 server and get instructions from it. It is also known as Kaiten and is one of the malware strains that have been distributed together with Mirai and Gafgyt. Tsunami is often used in attacks targeting IoT devices.
Tsunami persists between reboots by writing itself on “/etc/rc.local” and uses typical system process names to hide.
Besides SYN, ACK, UDP, and random flood DDoS attacks, Tsunami also supports an extensive set of remote control commands.
How to Protect Against Similar Attacks
Security specialists have several recommendations for Linux users, to bolster servers` safety.
- enforce strong passwords,
- use SSH keys to log in to the SSH server,
- disable root login through SSH,
- only allow a limited number of IP addresses to access the server,
- change the default SSH port to an atypical one, so bots and infection scripts miss it.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.