ASEC uses a Linux SSH honeypot to monitor attacks against Linux systems and describes how threat actors install backdoor accounts or SSH keys via brute-force and dictionary attacks on poorly managed servers. The article covers backdoor account creation, root-password changes, SSH-key registrations, and cases where CoinMiner and DDoS bots are installed, plus defensive recommendations. #Kimsuky #XMRig #Tsunami #ShellBot #LinuxSSH #AhnLabTIP
Keypoints
- Threat actors target poorly managed Linux SSH servers by performing IP scanning and brute force/dictionary login attempts to gain access.
- Beyond malware, attackers frequently create backdoor accounts or modify root credentials to maintain persistence for future actions.
- SSH key-based authentication is exploited by adding a new public key to authorized_keys and removing existing keys to enable passwordless login.
- Attack methods include adding user accounts, changing the root password, and registering SSH keys, often via automated scripts.
- Some attacks also deploy malware (CoinMiner/XMRig) or DDoS/Bot malware (Tsunami, ShellBot) after gaining access.
- Notable cases include KONO DIO DA CoinMiner activity and Tsunami/ShellBot campaigns that combine SSH-key insertion with malware installation.
- Defensive guidance emphasizes strong passwords, SSH key-based authentication, restricting root login, IP whitelisting, firewalls, and keeping systems updated (V3), with ASEC’s honeypot collecting threat IPs.
MITRE Techniques
- [T1046] Network Service Scanning – Attackers scan for servers with the SSH service (port 22) open. ‘IP scanning, searching for servers with the SSH service (port 22) open.’
- [T1110] Brute Force – Attackers attempt to log in by launching brute force or dictionary attacks to obtain credentials. ‘they attempt to log in by launching brute force or dictionary attacks to find out the ID and password.’
- [T1136.001] Create Local Account – After successful login, attackers add new user accounts to maintain access. ‘Threat actors used the commands below to add a new account after successful login.’
- [T1059.004] Unix Shell – Attackers execute shell commands to add accounts, change passwords, and perform other actions. ‘# echo -e “tomernsIeI5BHxSX3ynsIeI5BHxSX3y”|passwd|bash’
- [T1098.004] SSH Authorized Keys – Threat actors register a self-generated SSH key and replace authorized_keys to enable passwordless login. ‘…write the newly created public key to the same “authorized_keys” file. Afterward, the threat actor would be able to use the private key created alongside the public key to log into the compromised system.’
- [T1105] Ingress Tool Transfer – After login, attackers download and execute a Bash script to install malware like CoinMiner or DDoS tools. ‘The threat actor downloaded and executed a Bash script.’
Indicators of Compromise
- [IP Address] Attack Source – 180.151.19[.]85, 124.221.81[.]81, and 7 more IPs observed
- [File] SSH-related files – authorized_keys, key, and init0
- [Malware] CoinMiner/XMRig, Tsunami, ShellBot – CoinMiner/XMRig observed with SSH-key and malware bundles; Tsunami and ShellBot involved in related campaigns
- [Threat Actor] Kimsuky – Mentioned as a group using similar persistence and access techniques
- [Credential] Credentials used in attacks – admin1/admin, root/1234!@#$
Read more: https://asec.ahnlab.com/en/61185/