Hackers are once again targeting poorly secured Linux SSH servers, researchers have claimed.
The aim of the attackers is to install tools that will enable them to breach more servers. Ultimately, they either sell this access to their peers or install cryptocurrency miners and other malware on the endpoints.
Cybersecurity researchers from the AhnLab Security Emergency Response (ASEC) claim to have observed threat actors installing port scanners and dictionary tools on vulnerable servers.
Selling the access
First, the hackers would try to guess the target’s SSH credentials with a classic brute-force, or dictionary attack. The process is automated and allows them trying thousands of possible username/password combinations in a short amount of time.
If the server is poorly protected and has a password that’s easy to guess (for example, “password”, or “12345678”), they can access it and then install other malicious software. The researchers have seen the attackers install scanners hunting for port 22 activity. As they explained, that port is associated with the SSH service, and that allows them to identify additional endpoints to target.
At that point, they have multiple options – either to sell the access on the dark web, or install additional malware. In examples of the latter, the threat actors were observed installing distributed denial of service (DDoS) tools as well as cryptocurrency miners.
“Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web,” the researchers said. “These tools are believed to have been created by PRG old Team, and each threat actor modifies them slightly before using them in attacks,” they concluded.
The best way to keep your servers safe from these attacks is to use a strong password, consisting of lowercase and uppercase letters, numbers, and special symbols. It would be even better if the characters were seemingly random and didn’t follow a pattern (for example, a name or an important date).
Via TheHackerNews
