Careless oversight of Linux SSH servers draws cryptominers, DDoS bots

Cybercriminals are targeting poorly managed Linux SSH servers to install malware for cryptomining or carrying out distributed denial-of-service attacks, researchers have found.

According to a report by AhnLab released this week, bad password management and lax vulnerability patching can allow hackers to exploit the servers for cybercrime.

SSH servers provide secure remote access to a computer or server over a network. Once compromised, they can allow threat actors to infiltrate even more SSH servers and install additional malware. The more servers the hackers control, the more crypto they can mine, or the bigger their DDoS attacks can become.

Before installing such malware, threat actors need to obtain information on their targets, including the IP address and SSH account credentials. They perform IP scanning to identify servers with the SSH service and then use familiar tools to gather credentials, the researchers said.

The two methods are dictionary attacks, in which attackers try to gain unauthorized access to a system by using a large set of predefined words as potential passwords; and brute-force attacks, in which the hackers try all possible combinations of passwords until the correct one is found.

The malware strains found by AhnLab include ShellBot, Tsunami, ChinaZ DDoS Bot and XMRig CoinMiner. Threat actors can also choose to install only scanners, instead of malware, and sell the breached IP and account credentials on the dark web.

The researchers didn't specify a particular threat actor behind these attacks. However, they noted that various hacker groups have employed port scanners and SSH dictionary attack tools in the past, with each group using slightly different tools and files, including lists of account credentials.

AhnLab recommends that administrators maintain strong passwords, keep their server software patched and add security programs such as firewalls.