OpenSSH Trojan Campaign Targets IoT and Linux Systems

Security

Security researchers have discovered a sophisticated attack campaign that exploits custom and open-source tools to target Linux-based systems and Internet of Things (IoT) devices.

According to a new blog post by Microsoft, the attackers utilized a patched version of OpenSSH to gain control of compromised devices and install cryptomining malware.

Read more on this type of malware: Satacom Malware Campaign Steals Crypto Via Stealthy Browser Extension

The attack campaign involves an established criminal infrastructure that uses a subdomain belonging to a Southeast Asian financial institution as a command and control (C2) server. 

The threat actors employed a backdoor that deployed various tools, including rootkits and an IRC bot, to steal device resources for cryptocurrency mining operations.

Additionally, the backdoor installed a modified version of OpenSSH, allowing the attackers to hijack SSH credentials, move laterally within networks and conceal malicious SSH connections.

As far as the attack chain is concerned, threat actors initiated it by brute-forcing credentials on misconfigured internet-facing Linux devices.

Once compromised, they downloaded and installed the malicious OpenSSH package, which granted them persistent access and the ability to intercept SSH credentials. The modified OpenSSH version mimicked a legitimate server, making detection more challenging.

Furthermore, the backdoor deploys open-source rootkits, such as Diamorphine and Reptile, to hide its presence on the compromised systems. 

It also established communication with a remote command and control server via an IRC bot called ZiggyStarTux. This enabled the threat actors to issue commands and launch distributed denial of service (DDoS) attacks.

In its advisory, Microsoft recommended several mitigation measures to protect devices and networks against this threat. 

These include ensuring secure configurations for internet-facing devices, maintaining up-to-date firmware and patches, using secure VPN services for remote access and adopting comprehensive IoT security solutions.

The Microsoft blog post comes weeks after the company announced a new integration of OpenAI technology into its services.

Products You May Like

Articles You May Like

The complexities of attack attribution – Week in security with Tony Anscombe
Cybersecurity Awareness Month needs a radical overhaul – it needs legislation
How Confidence Between Teams Impacts Cyber Incident Outcomes
Separating the bee from the panda: CeranaKeeper making a beeline for Thailand
New MedusaLocker Ransomware Variant Deployed by Threat Actor

Leave a Reply

Your email address will not be published. Required fields are marked *