Many organizations are seeing a large number of access attempts by remote attackers using SSH scans of internet-facing control systems, ICS-CERT said in a recent security advisory.
To find running SSH services on networks, attackers probe a large number of IPs on Port 22/TCP – the default SSH listening port. If a response from the probe of Port 22/TCP is received, the attacker may initiate a brute force attack, the advisory warned.
The team said that it received a report last week from an electric utility that had experienced an unsuccessful brute force attack against its networks.
ICS-CERT explained that a brute force attack attempts to obtain a user’s logon credentials by guessing usernames and passwords. “Attackers can use brute force applications, such as password guessing tools and scripts, to automate username and password guessing. Such applications may use default password databases, dictionaries, or rainbow tables that contain commonly used passwords, or they may try all combinations of a character set to guess a password”, it said.
ICS-CERT recommended that organizations monitor network logs for port scans as well as access attempts. “Hundreds or thousands of login attempts over a relatively short time period is an indicator of a brute force attack because systems running SSH normally do not receive high volumes of login attempts”, it explained.