Attacks Against Linux SSH Services Detected by AhnLab EDR

Secure SHell (SSH) is a standard protocol for secure terminal connections and is generally used for controlling remote Linux systems. Unlike Windows OS which individual users use for desktops, Linux systems mainly fulfill the role of servers providing web, database, FTP, DNS, and other services. Of course, Windows also supports these services as a server.

For both Windows and Linux, running them as a server requires a tool to remotely control them. Windows has a Remote Desktop Protocol (RDP) for this purpose and administrators can use RDP to remotely control Windows systems. Because services like RDP must be accessible to users, they are externally exposed and thus become major targets for external threat actors. If users do not employ adequate access control policies and use simple passwords, control can be compromised through brute force or dictionary attacks.

This is also the same for Linux environments. Like RDP, threat actors scan for externally exposed SSH services (port 22) and attempt to log in through brute force or dictionary attacks. Once successfully logged in, the threat actor obtains control over the system and can install malware strains such as ransomware or CoinMiners or steal information. SSH services can be used not only for these initial infiltration processes but also for lateral movement.

Figure 1. The ID and password list used in a past Tsunami DDoS bot attack campaign

AhnLab SEcurity intelligence Center (ASEC) monitors attacks against poorly managed Linux servers and also analyzes and releases attack cases involving DDoS bots such as ShellBot [1], Tsunami [2], and ChinaZ [3] and CoinMiners [4] [5].

AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s only self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors to allow users to precisely perceive threats from a detection, analysis, and response perspective and identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.

This post covers cases of attacks against Linux SSH servers that can be detected with AhnLab EDR, allowing administrators to become aware of the attack in advance, identify the cause, and respond accordingly.

1. Brute Force and Dictionary Attacks

Threat actors usually scan random or specific ranges of IP addresses to find systems where the SSH service is running or where port 22 is open. In past cases, attackers used dictionary attacks to log into a Linux system and then installed scanner malware to procure additional systems. [6] The threat actor first used a port scanner to scan for port 22 in a certain IP range and used a banner grabber for confirmed SSH servers to check whether the SSH service was running. Once this process was completed, they used an SSH dictionary attack tool to read the configuration data containing the list of ID and PW to attempt to log into the target systems and saved basic information from the systems in a result file upon a successful login.

Figure 2. Files created as a result of an SSH dictionary attack

AhnLab EDR detects multiple login failure attempts due to brute force or dictionary attacks as threats (see Figure 3) so that administrators can identify the cause and respond accordingly.

Figure 3. Detection logs upon multiple login failures

2. Process of Installing Malware by Attacking SSH Services

In the case mentioned above, the threat actor installed malware strains that performed scanning and dictionary attacks, attempting to procure more vulnerable systems. The threat actor would have been able to sell the obtained target IP and account credentials on the dark web by doing so.

However, in most cases, threat actors and malware strains with propagation features install additional malware after successfully logging into SSH servers. For example, the following image displays commands that Kinsing, a CoinMiner targeting cloud-based Linux platforms, use during the self-propagation process after logging into a remote system. [7]

Figure 4. Kinsing’s propagation commands

AhnLab EDR detects the execution of suspicious commands through SSH services as a threat and helps administrators notice it in advance.

Figure 5. Detection logs of suspicious command executed through the SSH service

3. Lateral Movement Attack Using SSH Services

While it is possible to use a password when logging into a Linux server using SSH, using an SSH key allows users to log in without entering a password. An SSH key pair (public/private keys) is created for this purpose. The public SSH key must be installed in the Linux server to log in. Once the public key is installed in the Linux server, the generated private key can be used afterward to log in from the client to the server without needing a password.

Kinsing malware takes advantage of this feature and uses it for lateral movement attacks. The “” script which is the propagation module of Kinsing is responsible for propagation based on the SSH access log and key files saved in the infected system. It collects the host, access port, user, and key files from the following files before using a loop statement to log in. Once successful, curl and wget is used to transmit a command to download and execute the aforementioned downloader script.

Collected InformationCollection Targets
Host List“*/.ssh/config”, “*/.bash_history”, “/etc/hosts”, “*/.ssh/known_hosts”, and “processes using port 22”
SSH Port“*/.bash_history”
User List“*/.ssh/id_rsa” and “*/.bash_history”
Keys“*/id_rsa”, “*/.ssh/config”, “*/.bash_history”, and “*/*.pem”
Table 1. Targets of information collection for SSH propagation
Figure 6. The script responsible for SSH propagation

When there is a behavior of a file reading a system log file and SSH key file to propagate itself to another system, AhnLab EDR detects it as a threat so that administrators can identify the cause and respond appropriately.

Figure 7. Detection logs of the behavior of reading a history file to obtain the user input record

4. Conclusion

Attack campaigns on poorly managed Linux SSH servers have been occurring persistently for quite some time. Threat actors can obtain control over the system through brute force or dictionary attacks and can install malware such as ransomware and CoinMiners or steal information.

As such, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks. They should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors.

AhnLab EDR detects the initial infiltration stage of brute force and dictionary attacks, the behavior of executing suspicious commands through the SSH service, and abusing the SSH service for lateral movement as threats. Based on the detection, administrators can identify the cause and respond appropriately. Even after being exposed to an attack, they can also review the evidentiary data on the threat actor from the affected system needed to investigate the infiltration incident.

Behavior Detection
– CredentialAccess/EDR.BruteForce.M11571
– InitialAccess/EDR.Event.M11567
– Infostealer/EDR.Shell.M11231

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

The post Attacks Against Linux SSH Services Detected by AhnLab EDR appeared first on ASEC BLOG.

Article Link: Attacks Against Linux SSH Services Detected by AhnLab EDR - ASEC BLOG