Heimdal
Home > Cybersecurity News

Linux Servers Hacked to Launch DDoS Attacks and Mine Monero Cryptocurrency

Hackers Infected Poorly Secured Servers with Tsunami Botnet Malware.

Last updated on October 3, 2023

article featured image

Contents:

Threat actors brute-forced Linux SSH servers to deploy Tsunami DDoS bot, ShellBot, log cleaners, privilege escalation tools, and an XMRig (Monero) coin miner.

Hackers port scanned for publicly exposed Linux SSH servers and brute-forced username-password pairs to log in to the server. Improperly secured servers were vulnerable to the attack.

More about the Attack on Linux SSH Servers

After gaining admin user rights on the endpoint, threat actors run a malicious command to execute various malware via a Bash script.

Source

To maintain access, hackers created a new pair of public and private SSH keys for the breached server. Among the deployed malware there were log cleaners, cryptocurrency miners, privilege escalation tools, and two types of DDoS botnets:

  • ShellBot is a Pearl-based DDoS bot that supports port scanning, UDP, TCP, and HTTP flood attacks. In addition, it can set up a reverse shell.
  • Tsunami is another DDoS botnet malware that also uses the IRC protocol to exfiltrate data to the C2 server and get instructions from it. It is also known as Kaiten and is one of the malware strains that have been distributed together with Mirai and Gafgyt. Tsunami is often used in attacks targeting IoT devices.

Tsunami persists between reboots by writing itself on “/etc/rc.local” and uses typical system process names to hide.

Besides SYN, ACK, UDP, and random flood DDoS attacks, Tsunami also supports an extensive set of remote control commands.

Source

How to Protect Against Similar Attacks

Security specialists have several recommendations for Linux users, to bolster servers` safety.

  • enforce strong passwords,
  • use SSH keys to log in to the SSH server,
  • disable root login through SSH,
  • only allow a limited number of IP addresses to access the server,
  • change the default SSH port to an atypical one, so bots and infection scripts miss it.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Related Articles

Command-and-Control Servers Explained. Techniques and DNS Security RisksDDoS-as-a-service Attacks. What Are They and How Do They Work?Scanning Attack: What It Is and How to Protect Your Organization Against It?What Is a Port Scan Attack? Definition and Prevention Measures for EnterprisesWhat Is a Brute Force Attack?What Is Malware? Definition, Types and ProtectionHow to Prevent Privilege Escalation Attacks?The Complete Guide to IoT Security and What Every Business Owner Needs to KnowDDoS Attack. How Distributed Denial of Service Works and How to Prevent It

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V