Poorly secure Linux SSH servers are being targeted by bad actors installing port scanners and dictionary attack tools with the goal of targeting other vulnerable servers and pulling them into the network for cryptocurrency mining and decentralized denial of service Service (DDoS) attack.
“Threat actors also have the option of simply installing scanners and selling compromised IP and account credentials on the dark web,” the ANLab Security Emergency Center (ASEC) said in a report on Tuesday.
In these attacks, attackers attempt to guess a server’s SSH credentials by executing a list of common combinations of usernames and passwords, a technique known as a dictionary attack.
If the brute force attempt is successful, the threat actor deploys additional malware, including scanners, to scan other vulnerable systems on the network.
Specifically, the scanner is designed to look for systems with active port 22 (associated with the SSH service) and then repeat the dictionary attack process to install the malware, effectively spreading the infection.
Another noteworthy aspect of the attack is executing commands such as “grep -c ^processor /proc/cpuinfo” to determine the number of CPU cores.
ASEC said: “These tools are believed to have been created by the PRG old Team, and each threat actor slightly modified them before using them for attacks.” He added that there is evidence of such malware as early as 2021 has been used.
To mitigate the risks associated with these attacks, users are advised to use passwords that are difficult to guess, rotate passwords regularly, and keep their systems up to date.
The findings come as Kaspersky revealed that a new multi-platform threat called NKAbuse is exploiting a decentralized peer-to-peer network connection protocol called NKN (short for New Networks) as a communication conduit for DDoS attacks.
