Linux SSH servers are under attack once again

News
By Sead Fadilpašić
published

Hackers want to install DDoS tools and cryptominers

hacker.jpeg
(Image credit: TR)

Hackers are once again targeting poorly secured Linux SSH servers, researchers have claimed.

The aim of the attackers is to install tools that will enable them to breach more servers. Ultimately, they either sell this access to their peers or install cryptocurrency miners and other malware on the endpoints.

Cybersecurity researchers from the AhnLab Security Emergency Response (ASEC) claim to have observed threat actors installing port scanners and dictionary tools on vulnerable servers.

Reader Offer: Save up to 68% on Aura identity theft protection

Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today. 

 Preferred partner (What does this mean?) 

View Deal

Selling the access

First, the hackers would try to guess the target’s SSH credentials with a classic brute-force, or dictionary attack. The process is automated and allows them trying thousands of possible username/password combinations in a short amount of time.

If the server is poorly protected and has a password that’s easy to guess (for example, “password”, or “12345678”), they can access it and then install other malicious software. The researchers have seen the attackers install scanners hunting for port 22 activity. As they explained, that port is associated with the SSH service, and that allows them to identify additional endpoints to target.

At that point, they have multiple options - either to sell the access on the dark web, or install additional malware. In examples of the latter, the threat actors were observed installing distributed denial of service (DDoS) tools as well as cryptocurrency miners.

"Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web," the researchers said. "These tools are believed to have been created by PRG old Team, and each threat actor modifies them slightly before using them in attacks," they concluded.

The best way to keep your servers safe from these attacks is to use a strong password, consisting of lowercase and uppercase letters, numbers, and special symbols. It would be even better if the characters were seemingly random and didn’t follow a pattern (for example, a name or an important date).

Via TheHackerNews

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.