In a recent attack campaign, AhnLab ASEC has uncovered a threat against poorly controlled Linux SSH servers. The attackers have infiltrated these servers with the Tsunami DDoS Bot, along with several other types of malware including ShellBot, XMRig CoinMiner, and Log Cleaner.
The Tsunami DDoS Bot, which is a variant of Kaiten (also known as Ziggy), is often distributed alongside Mirai and Gafgyt to target vulnerable IoT devices. However, Tsunami stands out because it functions as an IRC bot and communicates with the threat actor through IRC. The source code of Tsunami is publicly accessible, leading to its widespread use by various threat actors.
The primary purpose of Tsunami is to target IoT devices in attacks, but it is also frequently employed to target Linux servers. This makes Linux SSH servers, which commonly have the SSH service installed, vulnerable to such attacks, especially due to poor management. The SSH service enables remote login and system control for administrators, who are required to log in with their registered user accounts. However, using basic login information such as username and password can allow malicious individuals to forcefully guess or use a pre-made list of common passwords to gain unauthorized access to the system.
In these attacks, the attackers search for exposed servers by scanning specific ports and then try known account credentials to perform dictionary attacks. Once inside the servers, the attackers run a command to download and launch various types of malware. One of the installed malware is a Bash script referred to as the “key” file, which acts as a downloader and installs additional malware. The “key” file also carries out several initial tasks to gain control over infected systems, including setting up a secret SSH account as a backdoor.
The malware installed via the executed command and downloader Bash script includes Downloader Bash, ShellBot DDoS Bot, Tsunami DDoS Bot, MIG Logcleaner v2.0, 0x333shadow Log Cleaner, privilege escalation malware, and XMRig CoinMiner. ShellBot, a Perl-based DDoS bot that utilizes the IRC protocol for communication, can set up a reverse shell and supports various remote control commands.
To remove any traces of unauthorized access on compromised computers, MIG Logcleaner v2.0 and Shadow Log Cleaner are utilized, which delays the prompt detection of the infection by victims. The malware employed by the threat actors in these attacks is an “ELF” file that grants elevated privileges to the threat actor.
To mitigate these types of attacks, security analysts recommend several measures. Linux users should use strong passwords or SSH keys to protect against attacks and ensure that root login via SSH is disabled. It is also important to restrict access to the server by allowing only a specific range of IP addresses and altering the default SSH port to a less common number to evade automated bots and infection scripts.
It is crucial for organizations and individual users to take these mitigations seriously and improve the security of their Linux SSH servers to protect against these types of attacks. By implementing stronger authentication mechanisms and limiting access, the risk of unauthorized access and malware infection can be significantly reduced.