Cryptocurrency Miners Threaten Poorly Secured Linux SSH Servers
Security analysts from the AhnLab Security Emergency Response Center (ASEC) have warned that poorly secured Linux SSH servers are increasingly being targeted by cybercriminals. These attackers install port scanners and dictionary attack tools on compromised servers to search for other vulnerable systems, aiming to build networks for cryptocurrency mining and launching DDoS attacks.
βAttackers may also install only scanners and then sell the compromised IP addresses and credentials on the dark web,β the researchers noted in their report.
How the Attacks Work
During these attacks, cybercriminals attempt to gain access to SSH servers by trying commonly used username and password combinations in brute-force attacks. If successful, they deploy malware on the server, including scanners to find additional vulnerable systems. Specifically, the scanners used by attackers look for systems with port 22 (the default SSH port) open, then repeat the dictionary attack and malware installation process on new targets.
One notable aspect of these attacks is the use of commands like grep -c ^processor /proc/cpuinfo to determine the number of CPU cores available on the compromised server.
βIt is believed that these tools were originally created by the old PRG group, and each attacker slightly modifies them before using them in attacks,β ASEC stated, adding that evidence of this type of malware has been observed as far back as 2021.
How to Protect Your Linux SSH Server
- Use strong, unique passwords for all accounts.
- Change passwords regularly.
- Keep your systems and software up to date with the latest security patches.
By following these recommendations, users can reduce the risks associated with these types of attacks.