The AhnLab Security Emergency Response Center (ASEC) has detected a significant surge in cyberattacks targeting poorly managed Linux SSH servers.
The primary focus of these attacks is the exploitation of inadequately secured Linux SSH servers. Threat actors aim to obtain critical information, such as IP addresses and SSH account credentials, before deploying malware, including DDoS bots and coin miners.
Threat actors conduct IP scanning to identify servers with active SSH services on port 22. They then launch brute force or dictionary attacks to compromise accounts and install a variety of malware.
Common malware that is installed in attacks against poorly managed Linux SSH servers includes ShellBot, Tsunami, ChinaZ DDoS Bot, and the XMRig crypto mining tool. Notably, ASEC's analysis reveals that besides DDoS bots and coin miners, threat actors also install SSH scanner malware on targeted servers. The researchers believe that the purpose of this is to identify more vulnerable systems and then sell access to them on the dark web.
“Administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks,” the researchers advised. “Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.”