Linux SSH servers targeted by Tsunami DDoS botnet
AhnLab Security Emergency Response Center (ASEC) researchers have discovered an ongoing hacking activity aimed at installing the Tsunami DDoS botnet, commonly known as Kaiten, on poorly secured Linux SSH servers.
Tsunami is a potent DDoS weapon that may be used to unleash catastrophic assaults against a variety of targets. It is freely available, allowing threat actors to build their own botnets. The botnet spreads largely by brute-force assaults, in which attackers guess username and password combinations for SSH servers until they discover a match.
Following a server breach, the attackers utilize a command to download and run malware strains using tools such as Bash script to obtain control of vulnerable computers. By creating a backdoor SSH account and producing fresh SSH keys, the attackers attempt to keep access even if the user password is reset.
The attackers also use malware such as ShellBot to remotely manipulate affected computers and XMRig CoinMiner to hijack servers and mine Monero coin using their resources. They also utilize Log Cleaner to remove system logs, making it more difficult to monitor their activity.
The Tsunami bot variant employed in this campaign is a Kaiten variant known as Ziggy. It conceals itself by writing to a file called “/etc/rc.local”, making it difficult to identify. It also changes the name of the process to “[kworker/0:0]” to fit in with other processes. It employs DDoS tactics such as SYN, ACK, UDP, and floods. It also includes instructions that let attackers to obtain system information, execute shell commands, construct reverse shells, update itself, download additional payloads, and even halt its own activities.
To lessen the likelihood of falling victim to such attacks, Linux users should use strong account passwords or, for further security, use SSH keys for authentication. ASEC further advises preventing root login through SSH, limiting the IP address range permitted to access the server, and changing the default SSH port to a less predictable number to discourage automated bots and infection scripts.
The sources for this piece include an article in BleepingComputer.