Linux SSH servers are under attack once again

Hackers want to install DDoS tools and cryptominers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are once again targeting poorly secured Linux SSH servers, researchers have claimed.

The aim of the attackers is to install tools that will enable them to breach moreservers. Ultimately, they either sell this access to their peers or install cryptocurrency miners and other malware on theendpoints.

Cybersecurity researchers from the AhnLab Security Emergency Response (ASEC) claim to have observed threat actors installing port scanners and dictionary tools on vulnerable servers.

Reader Offer: Save up to 68% on Aura identity theft protectionTechRadar editors praise Aura’s upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today.

Preferred partner (What does this mean?)

Selling the access

First, the hackers would try to guess the target’s SSH credentials with a classic brute-force, or dictionary attack. The process is automated and allows them trying thousands of possible username/password combinations in a short amount of time.

If the server is poorly protected and has a password that’s easy to guess (for example, “password”, or “12345678”), they can access it and then install other malicious software. The researchers have seen the attackers install scanners hunting for port 22 activity. As they explained, that port is associated with the SSH service, and that allows them to identify additional endpoints to target.

At that point, they have multiple options - either to sell the access on the dark web, or install additionalmalware. In examples of the latter, the threat actors were observed installing distributed denial of service (DDoS) tools as well as cryptocurrency miners.

“Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web,” the researchers said. “These tools are believed to have been created by PRG old Team, and each threat actor modifies them slightly before using them in attacks,” they concluded.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The best way to keep your servers safe from these attacks is to use a strong password, consisting of lowercase and uppercase letters, numbers, and special symbols. It would be even better if the characters were seemingly random and didn’t follow a pattern (for example, a name or an important date).

ViaTheHackerNews

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)