Cybersecurity firm AhnLab’s Security Emergency response Center (ASEC) has uncovered an attack against, “inadequately managed” Linux SSH servers whereby malware is being installed and spread.
Most notable has been the installation of a Tsunami DDoS Bot, but ShellBot, XMRig CoinMiner, and Log Cleaner malware have also all been spotted.
Because Tsunami’s source code is publicly available, it has been used in numerous attacks against IoT devices and is often seen deployed alongside Mirai and Gafgyt, though Tsunami attacks on Linux servers are just as common.
Linux servers are being attacked by multiple malware
AhnLab says that the Secure Shell (SSH) service is prone to poor management, thus is a perfect opportunity for threat actors to exploit for attacks. SSH enables admins to log in remotely and control the system, but cyberattackers can also gain unauthorized access through brute force or a dictionary attack.
Alongside the DDoS bot that allows the execution of additional malicious commands, the CoinMiner can be especially detrimental to the performance of a machine as it gets to work mining for Monero.
The Log Cleaner also serves an important purpose in the attack as it assists in wiping away evidence of the attack, thus making it harder for victims to identify that their machine has become the subject.
While the consequences can be painful for IT admins, there are a few really simple steps that AhnLab highlights which can be taken to protect Linux servers from such attacks.
Just like with any account, the cybersecurity firm recommends regularly changing the password which it says will help “protect the Linux server from brute force attacks and dictionary attacks.” Users should also frequently check for updates and patches, even with automatic updates enabled, to be able to iron out any bugs and vulnerabilities along the way.