Linux Servers Targeted By Dangerous Tsunami DDoS Bot

Posted on June 22, 2023 at 8:03 PM

Linux Servers Targeted By Dangerous Tsunami DDoS Bot

The AhnLab Security Emergency Response Center (ASEC) detected a dangerous cybersecurity attack. The attack targets Linux SSH servers that have not been properly managed. Malware is being installed and spread on these servers by threat actors to trigger the attacks.

Linux servers targeted by dangerous malware

The most significant attack strategy that has been detected by the ASEC researchers is the installation of the Tsunami DDoS Bot. The other tools that have also been detected by the researchers include CoinMiner, Log Cleaner, ShellBot, and the XMRig malware.

The Tsunami source code is already available to the public. This source code has been used to conduct a wide range of attacks that target Internet of Things (IoT) devices. The source code is also usually deployed alongside Gafgyt and the Mirai botnet. These hacking exploits are conducted through the Tsunami bot, which is quite popular among Linux servers.

The report by AhnLab has also said that the Secure Shell service is also vulnerable to poor management. The service was an ideal opportunity for hackers to conduct exploits and launch their hacking campaigns. The Secure Shell servers allow admins to sign in remotely and take control of the system.

The cyber attackers behind this exploit can also obtain unauthorized access by conducting a brute force attack or performing a dictionary campaign. The DDoS bot also supports the execution of more malicious commands.

CoinMiner can also have a negative effect on the performance of a machine. The hacker can steal operating power from the device and use it to perform mining operations for the Monero privacy coin.

The Log Cleaner also plays an important role in this hacking campaign. The tool helps serve a wide range of functions, such as getting rid of the evidence about this attack. The tool also makes it challenging for victims to find that their machine has become the victim of hacking attacks.

The consequences of these hacking exploits can cause detrimental harm to IT admins. AhnLab has also highlighted some steps that need to be taken to protect the Linux servers and to guarantee that they will not be used in performing these hacking attacks.

The cybersecurity company has also said that it is recommended that users periodically change their passwords. According to the firm, the process of changing passwords will protect the Linux server from brute-force hacking attacks and dictionary attacks.

The researchers have also said that it is recommended that users regularly check for patches and updates. Conducting checks for these updates and patches should be done even when the process has been automated. Performing regular checks and ensuring that the system is up to date will guarantee that any bugs and vulnerabilities are eliminated.

Tsunami DDoS botnet malware

The Tsunami DDoS bot malware is usually used by threat actors as the source code is publicly available. Threat actors can modify the source code of the existing Kaiten to integrate more features. The Tsunami botnet that was used in the recent hacking campaign was a variant of the Kaiten bot known as Ziggy.

The Tsunami botnet uses an IRC protocol that is used to communicate with command-and-control servers. IRC operates as a real-time Internet chat protocol that was released in 1988. Users can sign into the channels of some IRC servers and contact the other users that have logged within the same channel in real-time.

“The IRC bot installed on the infected system accesses an IRC server’s channel designated by the threat actor according to the IRC protocol, after which it either transits the stolen information to the specified channel or, when the attacker enters a particular string, it receives this as a command and performs the corresponding malicious behavior,” the researchers said.

When the Tsunami bot has been executed, it will publish its own path within the “/etc/rc.local” file. The file will run each time the bot reboots. The bot malware will later try to change the name of the running process to “[kworker/0:0].” The name is the same as that of a normal process, and it will make it challenging for the users to notice anything.

The Tsunami bot malware will also connect to the IRC server, be part of a channel, and also wait for commands from the threat actor. Information like the C&C address and the channel password are usually saved and encrypted. There are two C&C server addresses that are used in the campaign, and Tsunami usually selects one of them to create a connection.

Summary
Linux Servers Targeted By Dangerous Tsunami DDoS Bot
Article Name
Linux Servers Targeted By Dangerous Tsunami DDoS Bot
Description
Linux servers have been targeted by dangerous malware. The malware is installed and spread on the Linux SSH servers. The Tsunami source code is publicly available and largely used to conduct attacks.
Author
Publisher Name
Koddos
Publisher Logo

Share this:

Related Stories:

Newsletter

Get the latest stories straight
into your inbox!

YOUTUBE

Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading