Researchers from Korean anti-malware company AhnLab have issued a warning about an increasing number of cybercriminals using old-school techniques to gain access to Linux shell servers. These attackers are then using the compromised servers as launching points for further attacks on innocent third parties. The consequences of these attacks can be significant, resulting in unexpected electricity bills and damage to reputations, as downstream victims may mistakenly blame those whose servers were used to initiate the attacks.
The cybercriminals behind these attacks are targeting Linux shell servers that are accepting SSH (Secure Shell) connections over the internet. They employ a simple technique of guessing common username/password combinations in the hopes of finding a poorly-secured account. While well-secured SSH servers would require additional logon security measures such as cryptographic keypairs or 2FA codes, hastily set up servers or preconfigured containers may have insecure default settings, leaving them vulnerable to attack. AhnLab’s researchers found that even password dictionary lists were effective against these poorly secured servers.
Once the attackers gain access to the compromised servers, they typically deploy one of three common tactics. Firstly, they may install a DDoS attack tool called Tsunami. This involves commanding a large number of compromised computers to bombard a victim’s online services with time-wasting requests, overwhelming the server and denying access to legitimate users. Secondly, they may install a cryptomining toolkit named XMRig, which reduces processing capacity for legitimate work and increases electricity consumption. Finally, they may install a zombie program such as PerlBot or ShellBot, which allows them to issue further commands to compromised servers at will, including installing additional malware or opening backdoors for future access.
An ironic aspect of these attacks is that attackers who implant new files via compromised SSH logins often modify the server’s existing SSH configuration to create a supposedly secure backdoor for themselves. This is achieved by manipulating the authorized public keys, which are supposed to be used for key-based logins. Public-key-based SSH logins are generally considered to be more secure than password-based logins, as they do not involve exchanging passwords between the client and the server. However, if attackers can implant rogue public keys, they can grant themselves future access without the need for passwords.
To protect against these attacks, AhnLab researchers offer several recommendations. First and foremost, organizations should disable password-only SSH logins and switch to public-private key authentication. This not only improves security but also facilitates automated logons. Regularly reviewing the public keys relied upon by the SSH server for automated logins is also important. Additionally, organizations should review their SSH server configurations for any suspicious changes made by attackers, such as enabling root logins or activating password-only logins. Using XDR (Extended Detection and Response) tools to monitor for unusual activity is also recommended. High bursts of network traffic to unexpected destinations or consistently high CPU load could indicate malicious activity.
In conclusion, AhnLab’s warning highlights the importance of securing Linux shell servers against attacks that exploit weak SSH configurations. By implementing stronger authentication methods and regularly reviewing server configurations, organizations can protect themselves from being unwitting accomplices in cyberattacks. Vigilance and the use of monitoring tools are essential in detecting and mitigating the consequences of these attacks.