Poorly protected Linux SSH servers are being attacked by bad actors to install port scanners and dictionary attack tools with the goal of targeting other vulnerable servers and co-opting them into a network to carry out cryptocurrency mining and distributed denial of service ( DDoS). attacks.
"Threat actors may also choose to install only scanners and sell the breached IP and account credentials on the dark web," said AhnLab Security Emergency Response Center (ASEC) saying in a report on Tuesday.
In these attacks, adversaries attempt to guess a server's SSH credentials by reviewing a list of commonly used username and password combinations, a technique called a dictionary attack.
If the brute force attempt is successful, the threat actor deploys other malware, including scanners, to search for other susceptible systems on the Internet.
Specifically, the scanner is designed to search for systems where port 22, which is associated with the SSH service, is active and then repeat the process of staging a dictionary attack to install malware, effectively spreading the infection.
Another notable aspect of the attack is the execution of commands such as "grep -c ^processor /proc/cpuinfo" to determine the number of CPU cores.
"These tools are believed to have been created by the former PRG team, and each threat actor modifies them slightly before using them in attacks," ASEC said, adding that there is evidence of the use of such malicious software. already in 2021.
To mitigate the risks associated with these attacks, it is recommended that users rely on passwords that are difficult to guess, rotate them periodically, and keep their systems up to date.
The findings come as Kaspersky revealed that a new cross-platform threat called NKAbuse is leveraging a decentralized peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel for DDoS attacks.
