Hackers Infect Linux SSH Servers With Tsunami Botnet Malware

Cyber Security Threat Summary:
An unidentified malicious entity is employing brute-force techniques to gain unauthorized access to Linux SSH servers, enabling the installation of various forms of malicious software. The malware includes the Tsunami DDoS bot, ShellBot, log cleaners, tools for privilege escalation, and an XMRig coin miner designed to mine Monero. SSH (Secure Socket Shell) is a secure and encrypted network communication protocol used for remote administration of Linux devices. It facilitates activities such as executing commands, modifying configurations, updating software, and resolving issues for network administrators. Nonetheless, in the event that those servers lack adequate security measures, they may be susceptible to brute force attacks. This vulnerability allows malicious actors to systematically attempt numerous username-password combinations until a successful match is discovered.

A recent investigation by AhnLab Security Emergency Response Center unveiled an ongoing operation involving the compromise of Linux swervers for the purpose of launching DDoS attacks and illicitly mining Monero cryptocurrency. The perpetrators conducted scans across the internet to identify Linux SSH servers that were publicly exposed. They also utilized brute force techniques to gain unauthorized access to these servers by attempting various username-password combinations. Once they successfully obtained administrative privileges on the compromised endpoint, they executed a specific command via a Bash script to retrieve and execute a series of malware.

“ASEC observed that the intruders also generated a new pair of public and private SSH keys for the breached server to maintain access even if the user password was changed. The malware downloaded onto compromised hosts includes DDoS botnets, log cleaners, cryptocurrency miners, and privilege escalation tools. Starting with ShellBot, this Perl-based DDoS bot utilizes the IRC protocol for communication. It supports port scanning, UDP, TCP, and HTTP flood attacks and can also set up a reverse shell. The other DDoS botnet malware seen in these attacks is Tsunami, which also uses the IRC protocol for communication. The particular version seen by ASEC is "Ziggy," a Kaiten variant. Tsunami persists between reboots by writing itself on "/etc/rc[.]local" and uses typical system process names to hide” (Bleeping Computer, 2023).

Security Officer Comments:
In addition to conducting SYN, ACK, UDP, and random flood DDoS attacks, Tsunami possess a wide array of remote control commands at its disposal. These commands encompass various functionalities, such as executing shell commands, establishing reverse shells, gathering system information, self updating capabilities, and retrieving additional payloads from an external source. Additionally, the MIG Logcleaner V2.0 and Shadow Log Cleaner tools, are both utilized to eliminate traces of unauthorized access on compromised computers, thereby reducing the likelihood of victims swiftly detecting the infection. These tools are equipped with specific command arguments that empower operators to delete logs, manipulate existing lofs, or introduce new logs into the system.

Suggested Correction(s):
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.

Link(s):
https://www.bleepingcomputer.com/