In a recent disclosure, Microsoft has uncovered an ongoing cryptojacking campaign that specifically targets Internet-exposed Linux and Internet of Things (IoT) devices. This sophisticated attack utilizes a series of brute-force techniques to gain unauthorized access to vulnerable computers. Once access is acquired, a trojanized OpenSSH malware package is deployed, acting as a backdoor, enabling attackers to infiltrate devices and steal SSH passwords for long-term persistence. This article aims to delve deeper into the intricacies of this attack, shedding light on its methodology, impact, and implications for cybersecurity.
The Attack Process
The initial phase of the attack involves relentless brute-force attempts to compromise the targeted devices. Once successful, the attackers proceed to deploy a trojanized OpenSSH package, which serves as a gateway for unauthorized access. This package intercepts SSH passwords and keys, both as a client and a server, allowing threat actors to maintain persistence and control over the compromised systems.
To conceal their presence, the attackers enable root login via SSH and suppress logging of their SSH sessions. By implementing a unique password, they avoid detection by traditional logging mechanisms. Additionally, a backdoor shell script is distributed alongside the trojanized OpenSSH code. This script adds two public keys to the authorized_keys file, granting the attackers persistent SSH access.
Malicious Activities and Manipulation
With the acquired SSH access, the threat actors proceed to gather system information and execute various malicious activities. They install Reptile and Diamorphine open-source LKM rootkits to obfuscate their actions and manipulate iptables rules and /etc/hosts entries to block traffic to competitors’ crypto jacking hosts and IPs. This manipulation ensures that the attackers maintain control over the compromised devices, maximizing their ability to exploit them for their nefarious purposes.
Disruption of Competing Miners
In an effort to gain a competitive advantage, the attackers remove other miners from the compromised systems. They achieve this by terminating or preventing access to miner processes and files, as well as disabling SSH access from the authorized_keys file that was previously configured by other opponents. This ruthless tactic allows the attackers to dominate the mining landscape and reap the benefits of their malicious activities.
Utilization of ZiggyStarTux IRC Bot
The attack also involves the deployment of ZiggyStarTux, an open-source IRC bot with distributed denial of service (DDoS) capabilities. This bot enhances the persistence of the backdoor virus and enables the threat actors to execute bash commands on the compromised systems. The trojanized OpenSSH package copies itself across multiple disk locations and sets up cron jobs for frequent execution, ensuring its continued presence. By registering ZiggyStarTux as a systemd service, the attackers maintain control over the compromised devices and establish a connection between the bots and the IRC servers via a subdomain belonging to a legitimate Southeast Asian financial organization.
Brute-Force Techniques and Subnet Exploitation
During Microsoft’s investigation, it was discovered that the attackers instructed the bots to download and execute additional shell scripts. These scripts were used to launch brute-force attacks on live hosts within the compromised device’s subnet, as well as backdoor susceptible systems using the trojanized OpenSSH package. This approach allows the attackers to expand their control over a broader range of devices and maximize their potential for unauthorized access and manipulation.
Mining Malware Targeting Hiveon OS
The ultimate objective of this cryptojacking campaign is the installation of mining malware specifically designed for Linux-based Hiveon OS computers. By targeting these systems, the attackers aim to harness the computational power for cryptocurrency mining purposes, furthering their illicit gains.
Detection and Mitigation Challenges
The trojanized OpenSSH malware employed in this attack poses significant challenges for detection and mitigation. It closely resembles the appearance and behavior of a legitimate OpenSSH server, making it difficult to identify. This exemplifies the sophistication and determination of adversaries who seek to infiltrate and manipulate exposed systems.
Security Measures and Best Practices
As the threat landscape continues to evolve, it is crucial for users and organizations to remain vigilant and adopt comprehensive security measures. Promptly applying security patches, implementing access limits, and employing proactive monitoring can help defend against cryptojacking and targeted assaults on IoT devices. Regular software updates, stringent access controls, and robust security protocols are vital in safeguarding Linux systems from unauthorized breaches.
In conclusion, the OpenSSH malware attack targeting Linux and IoT devices highlights the pressing need for heightened cybersecurity measures. By understanding the intricacies of such attacks and implementing effective security practices, individuals and organizations can mitigate the risks associated with unauthorized access and manipulation.