Security News > 2023 > June > Compromised Linux SSH servers engage in DDoS attacks, cryptomining

Poorly managed Linux SSH servers are getting compromised by unknown attackers and instructed to engage in DDoS attacks while simultaneously mining cryptocurrency in the background.

"The source code of Tsunami is publicly available so it is used by a multitude of threat actors. Among its various uses, it is mostly used in attacks against IoT devices. Of course, it is also consistently used to target Linux servers," researchers with AhnLab's Security Emergency response Center explained.

A threat actor is mounting dictionary attacks to log into Linux servers with SSH installed and saddle the server with the Tsunami and ShellBot DDoS bots, the XMRig CoinMiner program, and Log Cleaner - a tool for deleting and modifying logs.

"Among the malware that are installed, the 'key' file is a downloader-type Bash script that installs additional malware. In addition to being a downloader, it also performs various preliminary tasks to take control of infected systems, which includes installing a backdoor SSH account," ASEC researchers noted.

In the event that a Linux system has been compromised, administrators should leverage the IoCs shared by security researchers to eliminate malware and malicious scripts from the system.

In these specific attacks, the threat actors also create an SSH backdoor account, which serves as a fail-safe measure to retain access to the system in case administrators change the password of the primary admin account.

News URL

https://www.helpnetsecurity.com/2023/06/20/linux-ssh-ddos/