Linux SSH servers are under attack once again
Hackers are once again targeting poorly secured Linux SSH servers, researchers claim.
The attackers' goal is to install tools that will allow them to compromise more servers. Ultimately, they sell this access to their colleagues or install cryptocurrency miners and other malware on the endpoints.
Cybersecurity researchers from the AhnLab Security Emergency Response (ASEC) claim to have observed threat actors installing port scanners and dictionary tools on vulnerable servers.
Sell access
First, the hackers tried to guess the target's SSH credentials with a classic brute-force or dictionary attack. The process is automated and allows them to try thousands of possible username/password combinations in a short time.
If the server is poorly secured and has an easy-to-guess password (for example, “password” or “12345678”), they can gain access to it and then install other malicious software. The researchers saw how the attackers installed scanners that hunted for port 22 activity. As they explained, that port is tied to the SSH service, allowing them to identify additional endpoints to target.
At that point, they have several options: sell access to the dark web or install additional malware. In examples of the latter, the threat actors were observed installing distributed denial of service (DDoS) tools as well as cryptocurrency miners.
“Threat actors may also choose to simply install scanners and sell the compromised IP and account information on the dark web,” the researchers said. “It is believed that these tools were created by the old PRG team, and each threat actor modifies them slightly before using them in attacks,” they concluded.
The best way to protect your servers against these attacks is to use a strong password consisting of lower and upper case letters, numbers and special symbols. It would be even better if the characters were seemingly random and didn't follow a pattern (e.g. a name or an important date).
Through The HackerNews