Posted on June 23, 2023 at 10:06 AM
Hacking Campaign Against Linux SSH Servers Infiltrated Servers With Tsunami DDoS Bot
A hacking campaign was recently detected by the AhnLab ASEC researchers. The attack campaign involved Linux SSH servers that were poorly controlled and managed. The hackers behind this campaign have infiltrated the servers using the Tsunami distributed denial-of-service (DDoS) bot.
Hackers target Linux SSH servers with Tsunami DDoS malware
Besides working with the Tsunami DDoS bot, the threat actor has also installed different forms of malware, including Log Cleaner, ShellBot, and XMRig CoinMiner. The majority of the hacking campaigns that are being conducted happen on the Linux SSH servers. The exploits also involve DDoS bots, and CoinMiners have also been installed.
The Tsunami malware is a variant of the Kaiten DDoS bot that is also known as Ziggy. This malware is usually distributed alongside other malware, such as Gafgyt and Mirai, with the attacks being used to target vulnerable Internet of Things (IoT) devices.
The tools that have been used to conduct this hacking campaign are all DDoS bots. However, the Tsunami bot is unique because it operates in the same manner as an IRC bot. It also communicates with the hacker through the IRC. The source code behind the Tsunami DDoS bot is also openly accessible, and it is used by a wide range of threat actors.
The DDoS bot is mainly used to conduct hacking exploits against IoT devices. The bot is also regularly used to target Linux servers promptly. The SSH service is used to conduct these hacking exploits, and it makes them vulnerable to hacking campaigns because of poor management.
The exploit also supports a wide range of other features, such as remote login and system control for the administrators. It also requires that these administrators sign in using their registered user accounts.
A malicious person can use basic login details such as the username and password within a Linux system. Such information is used by the threat actor to access the system through a brute force campaign and using a pre-made list of all passwords that could be seen as common.
When a threat actor targets Linux SSH servers that have not been properly managed, the threat actors will look for the exposed servers by scanning specific ports. The attackers will then attempt to gain entry by using known account credentials to conduct dictionary attacks and obtain unauthorized access.
How this malware works
The researchers said that after the attacker has signed in, they later launch a command that will download and launch different forms of malware. One of the installed malware is a Bash script known as the key file. This malware acts as the downloader, and it will install additional malware.
After downloading the malware, the key file will also run various tasks to have control over the infected systems. These tasks include creating a hidden SSH account that can be used as a backdoor.
The different types of malware that are installed using the executed command and downloader Bash script include Downloader Bash, ShellBot DDoS Bot, Tsunami DDoS Bot, MIG Logcleaner v2.0. 0x333shadow Log Cleaner, Privilege escalation malware, and XMRig CoinMiner.
ShellBot is a DDoS Bot that uses the IRC protocol to communicate. This bot supports a wide range of functions, such as port scanning, UDP flood attacks, TCP flood attacks and HTTP flood attacks.
The Tsunami group has remained active after restarting. The DDoS bot has been disguised using common system process names. Some of the remote control commands that are being supported by Tsunami include Shell command execution and reverse shells.
The other commands that are also supported by this DDoS bot include gathering system information, conducting updates automatically, and downloading additional payloads from an external source.
For the threat actor to get rid of any traces of unauthorized access on the compromised computers, they will use MIG Logcleaner v2.0 and Shadow Log Cleaner. The process will delay the prompt detection of the infections attributed to different victims.
In these types of attacks, the malware that is used by the hackers exists on an “ELF” file. The threat actor will also have elevated privileges to the user device that will allow them to infiltrate the system.
Ways to mitigate these attacks
Cybersecurity researchers have offered different ways of mitigating these attacks. The users of Linux servers have to use strong passwords and SSH keys to mitigate these attacks. A user should also disable their root login through SSH.
Users should also take measures to restrict server access by using a specific range of IP addresses. One should also guarantee that they change the default SSH port to a less popular number to avoid the use of automated bots and infection scripts.
