According to a recent report by AhnLab Security Emergency Response Center (ASEC), researchers discovered an attack campaign by an unknown threat actor using poorly managed Linux SSH servers to distribute Tsunami DDoS, a distributed-denial-of-service malware, along with several other malware strains to carry out different tasks on compromised machines.
Secure Socket Shell, or SSH, is an encrypted network communication protocol for logging into remote machines.
Further features include support tunneling, TCP port forwarding, file transfers, and several other valuable features used by Linux network admins, including managing Linux devices remotely, performing tasks such as running commands, changing the configuration, updating software, and troubleshooting problems.
Due to how useful the protocol is, it is installed on most Linux server environments. These features in the hands of a malicious threat actor are manna from heaven, and it is little wonder that poorly configured SSH servers are a favored target.
One method used to attack SSH servers is a brute-force attack, sometimes called a dictionary attack. This is when the attacker attempts to log in to a targeted machine using the administrator's credentials. This is done by using commonly used username and password combinations. ASEC researchers further noted,
If simple account credentials (ID/PW) are used in a Linux system, a threat actor can log into the system through brute force or a dictionary attack, allowing them to execute malicious commands. When Linux SSH servers that are poorly managed are attacked, the main attack method involves searching externally exposed SSH servers through port scanning and using the known account credentials to perform dictionary attacks and log in. Malware is then downloaded afterward.
If the targeted server is poorly configured and the attacker can log in, the next step in the attack flow is to execute a command to run the various types of malware used by the threat actor.
The threat actor will also set up private and public keys to the server so they can log in to the now compromised server without using a username and password combination, helping ensure the threat actor has continued access to the compromised machine.
Malware seen installed by researchers include:
- Downloader Bash
- ShellBot DDoS Bot
- Tsunami DDoS Bot
- Logcleaner v2.0
- 0x333shadow Log Cleaner
- Privilege escalation malware
- XMRig CoinMiner
Tsunami and Other Malware Used
ASEC's description of Tsunami is particularly good and reads as follows,
Tsunami is a DDoS bot that is also known as Kaiten. It is one of the several malware strains that have been consistently distributed together with Mirai and Gafgyt when targeting IoT devices that are generally vulnerable. While they all share the common ground of being DDoS bots, Tsunami stands out from the others in that it operates as an IRC bot, utilizing IRC to communicate with the threat actor…The source code of Tsunami is publicly available, so a multitude of threat actors uses it. Among its various uses, it is mostly used in attacks against IoT devices. Of course, it is also consistently used to target Linux servers. Similar to the case where XMRig CoinMiner was distributed to a public Docker container with Tsunami, another case was confirmed where they were also distributed to a cloud environment. In addition, including malware inside unofficially distributed Docker containers is one of its primary attack vectors.
Tsunami has another feature worth mentioning. Tsunami uses an Internet Relay Chat (IRC) protocol to communicate with command-and-control servers. IRC is a real-time Internet chat protocol developed in 1988. Tsunami's IRC bot is a bot malware that abuses this IRC service to communicate with command-and-control servers.
Along with Tsunami, the threat actor was also seen distributing another DDoS malware, ShellBot. The malware was developed in Perl, and it is also an IRC Bot that utilizes the IRC protocol like Tsunami.
Further, it has also been seen used in other attacks on poorly configured Linux SSH servers. The malware payloads include two log cleaners and the deletion or modification of specific logs within these log files. Threat actors can further use these to hinder subsequent research and analysis by security teams.
Lastly, the threat actor drops XMRIG, a cryptocurrency miner that mines Monero, a cryptocurrency favored by cybercriminals for its increased anonymity policies.
These miners work by using the infected system's resources are used to mine Monero coins for the threat actor. Infected systems can also be used for DDoS attacks due to the DDoS bots that are also installed, allowing for additional malicious commands to be executed.
It should be noted that even if this malware is deleted, the threat actor can regain access to the system using the SSH backdoor account they had also installed. This allows them to perform various malicious behaviors like installing different malware strains, as has been seen, and it opens up the possibility of stealing information from the system.
ASEC concluded by advising,
...administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks. They should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers.