Security News > 2023 > June > Compromised Linux SSH servers engage in DDoS attacks, cryptomining
Poorly managed Linux SSH servers are getting compromised by unknown attackers and instructed to engage in DDoS attacks while simultaneously mining cryptocurrency in the background.
"The source code of Tsunami is publicly available so it is used by a multitude of threat actors. Among its various uses, it is mostly used in attacks against IoT devices. Of course, it is also consistently used to target Linux servers," researchers with AhnLab's Security Emergency response Center explained.
A threat actor is mounting dictionary attacks to log into Linux servers with SSH installed and saddle the server with the Tsunami and ShellBot DDoS bots, the XMRig CoinMiner program, and Log Cleaner - a tool for deleting and modifying logs.
"Among the malware that are installed, the 'key' file is a downloader-type Bash script that installs additional malware. In addition to being a downloader, it also performs various preliminary tasks to take control of infected systems, which includes installing a backdoor SSH account," ASEC researchers noted.
In the event that a Linux system has been compromised, administrators should leverage the IoCs shared by security researchers to eliminate malware and malicious scripts from the system.
In these specific attacks, the threat actors also create an SSH backdoor account, which serves as a fail-safe measure to retain access to the system in case administrators change the password of the primary admin account.
News URL
https://www.helpnetsecurity.com/2023/06/20/linux-ssh-ddos/
Related news
- Crafting Shields: Defending Minecraft Servers Against DDoS Attacks (source)
- TeamCity Flaw Leads to Surge in Ransomware, Cryptomining, and RAT Attacks (source)
- CISA: Here’s how you can foil DDoS attacks (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Linux Version of DinodasRAT Spotted in Cyber Attacks Across Several Countries (source)
- Malicious SSH backdoor sneaks into xz, Linux world's data compression library (source)
- DinodasRAT malware targets Linux servers in espionage campaign (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- New HTTP/2 DoS attack can crash web servers with a single connection (source)
- XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor (source)