Scroll Top

Unveiling the intricate web: unraveling compromised Linux SSH servers’ role in DDoS attacks and cryptomining


Unveiling the intricate web: unraveling compromised Linux SSH servers’ role in DDoS attacks and cryptomining

Greetings, fellow digital explorers, as we embark on another enlightening journey into the depths of the interconnected realm we call the Internet. Today, we delve into a perplexing phenomenon where poorly managed Linux SSH servers become unwitting pawns in the hands of unknown assailants, engaging in a dual mission of launching distributed denial-of-service (DDoS) attacks while clandestinely mining cryptocurrencies.

The Mysterious Tsunami DDoS Bot: At the center of this enigma lies the Tsunami DDoS bot, also known as Kaiten. This unique breed of DDoS bot operates on the internet relay chat (IRC) protocol, utilizing IRC as a means of communication with its orchestrators. Tsunami is frequently distributed alongside other notorious malware strains like Mirai and Gafgyt, adding to its lethal arsenal.

According to the esteemed researchers at AhnLab’s Security Emergency response Center (ASEC), Tsunami’s source code is publicly accessible, making it a favored tool among various threat actors. While its primary targets are Internet of Things (IoT) devices, Tsunami consistently sets its sights on Linux servers, making it a formidable adversary to be reckoned with.

Linux SSH Server Infiltration: The modus operandi of these malevolent actors involves mounting dictionary attacks against Linux servers equipped with SSH. Once successful, they promptly implant the Tsunami and ShellBot DDoS bots, the XMRig CoinMiner program, and Log Cleaner—a tool that efficiently erases and alters logs, effectively obscuring their illicit activities.

ASEC researchers shed light on the installation process, stating that a crucial component of the malware is a downloader-type Bash script, colloquially known as the “key” file. This script serves as a conduit for additional malware, while also executing various preliminary tasks to secure control over the compromised systems, including the establishment of a backdoor SSH account.

The Tsunami and ShellBot bots employ the IRC protocol to transmit pilfered information to the command-and-control (C2) server, ensuring seamless communication with their puppeteers. Meanwhile, the Log Cleaner utility serves to camouflage the nefarious operations, making subsequent investigations challenging. Lastly, the XMRig CoinMiner is discreetly installed to exploit the compromised server’s computational resources for cryptocurrency mining, adding a profitable dimension to the attackers’ scheme.

Safeguarding Against Attacks and Mitigating Damage
Fortunately, fortifying one’s defenses against these insidious attacks is within reach. System administrators are encouraged to adopt robust security measures, including the implementation of strong, unique passwords, the utilization of multi-factor authentication for SSH accounts, and the deployment of firewalls to thwart malicious access attempts and unauthorized entry.

In the unfortunate event of a Linux system succumbing to compromise, administrators must promptly act to eradicate the malware and malicious scripts. Leveraging the indicators of compromise (IoCs) shared by vigilant security researchers is an invaluable resource in this endeavor.

In these specific attacks, the threat actors establish an SSH backdoor account, acting as a failsafe to retain access even if administrators change the primary admin account’s password. Hence, it is imperative to remove this account to ensure a comprehensive security posture.

Moreover, impeding the malware’s communication channels with the C2 servers assumes utmost significance, as it effectively prevents data exfiltration and the delivery of further instructions from the malevolent entities lurking in the shadows.

As we conclude our expedition into the intricate web of compromised Linux SSH servers engaging in DDoS attacks and cryptomining, it is clear that the vigilance of administrators and their commitment to robust security practices are pivotal in maintaining a resilient cyber landscape. By fortifying our defenses and swiftly responding to threats, we can ensure the integrity of our digital infrastructure, safeguarding the boundless potential that the Internet holds for us all.

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.