Threat Research

Linux SSH Services Under Attack Detected by AhnLab EDR

Ahnlab

SSH is a common entry point on Linux servers, and attackers target exposed SSH services with brute force and dictionary attacks to gain initial access, then deploy malware or steal credentials. AhnLab EDR helps detect these campaigns by monitoring brute-force attempts, suspicious SSH commands, and SSH-based lateral movement to enable proactive response. #ShellBot #Tsunami #ChinaZ #Kinsing #CoinMiners #AhnLabEDR

Keypoints

  • Threat actors scan for open SSH (port 22) and perform brute force or dictionary attacks to gain Linux server access.
  • Once access is obtained, attackers install malware (e.g., ransomware or CoinMiners) or steal information, potentially selling credentials on the dark web.
  • AhnLab EDR detects brute-force/dictionary login failures, suspicious SSH command execution, and SSH-based lateral movement to help administrators respond.
  • Kinsing malware uses SSH propagation, gathering host, user, and key file data to spread to other systems and download additional payloads.
  • The propagation module (spre.sh) collects SSH-related data (hosts, users, keys) and uses curl/wget to fetch and run a downloader script.
  • Defensive guidance includes strong, changed passwords, patching, and firewalling server-accessible services to reduce exposure.

MITRE Techniques

  • [T1046] Network Service Scanning – Threat actors usually scan random or specific ranges of IP addresses to find systems where the SSH service is running or where port 22 is open. “port scanner to scan for port 22… banner grabber for confirmed SSH servers”
  • [T1110] Brute Force – Use dictionary attacks to log into a Linux system after identifying exposed SSH services. “used dictionary attacks to log into a Linux system”
  • [T1021.004] SSH – Lateral Movement – Kinsing uses SSH keys for propagation; the spre.sh module propagates based on SSH access logs and key files. “The ‘spre.sh’ script… propagation based on the SSH access logs and key files saved in the infected system.”
  • [T1105] Ingress Tool Transfer – Downloader payloads downloaded/executed via network transfer using curl and wget. “curl and wget is used to transmit a command to download and execute the aforementioned downloader script.”
  • [T1552.004] Private Keys – SSH key files are collected and used for access, enabling lateral movement. “Keys” include “*/id_rsa”, “*/.ssh/config”, “*/.bash_history”, and “*/*.pem”
  • [T1059.004] Unix Shell – Suspicious commands executed through SSH as part of the attack lifecycle. “execution of suspicious commands through SSH services”

Indicators of Compromise

  • [File] SSH-related keys and config data – example1: “*/.ssh/id_rsa”, example2: “*/.ssh/config” (and other SSH-related files, such as “*/.bash_history” and “*/*.pem”)
  • [File] Propagation script – example: “spre.sh” (the SSH propagation module)
  • [File] SSH history and logs – example: “*/.bash_history” (as part of collected information)
  • [Command] Downloader commands – example: “curl” and “wget” used to download and execute a downloader script
  • [Event] Multiple login failures – example: “Detection logs upon multiple login failures” and related brute-force/dictionary attack indicators

Read more: https://asec.ahnlab.com/en/66695/