A new strain of malware that targets vulnerable Linux-based systems is loose in the wild, with an interesting habit of avoiding government and military networks.
Dubbed GoScanSSH (a mash-up of its hallmarks: its Golang-based coding, its ability to scan for new hosts from infected machines, and use of the SSH port), the malware is being used in a widespread campaign that includes more than 70 unique malware samples and multiple versions, indicating that this threat is continuing to be actively developed and improved upon by the attackers. The earliest instance of a variant dates back to last summer, so the campaign has been ongoing for at least nine months.
It’s main effort seems to be in infecting as many machines as possible, potentially creating a botnet for future use in more damaging attacks.
According to Cisco Talos researchers, bad actors gain access to targets using an SSH-credential brute-force attack against publicly accessible SSH servers.
“In this particular series of attacks, the attacker was leveraging a word list containing more than 7,000 username/password combinations,” they explained in a posting. “Once the attacker has discovered a valid credential set that allows successful SSH authentication, a unique GoScanSSH malware binary is then created and uploaded to the compromised SSH server. The malware is then executed, thus infecting the system.”
Immediately following infection, the GoScanSSH malware attempts to determine how powerful the infected system is and assigns the malware instance a unique identifier, which is all sent to the command-and-control (C&C) server. From there, it initiates SSH scanning activity to find additional vulnerable SSH servers exposed to the internet.
It specifically avoids IP addresses assigned to the US. Department of Defense and several in South Korea. The reason for this is unclear.
"It is difficult to fully get inside the head of attackers, but one theory could be that the attackers know that nation-states are resourced and have the political and networking connections to perform accurate attribution,” said Dan Matthews, director of engineering at Lastline, via email. He added, “This attack does not appear complex, although they have done two things which differ from recent commodity malware Written in Go, which is an efficient/cross-platform/modern/cool programming language; and added an IP address validation step prior to performing dictionary attacks against publicly reachable SSH servers.”
Once it has been determined that the selected IP address is an ideal candidate for additional attacks, the malware attempts to obtain valid SSH credentials by attempting to authenticate to the system using the aforementioned wordlist containing username and password combinations. If successful, the malware reports back to the C&C server.
Organizations should employ best practices to ensure that servers they may have exposed remain protected, including ensuring that systems are hardened, that default credentials are changed prior to deploying new systems to production environments and that these systems are continuously monitored for attempts to compromise them.
As Matthews said, “The best thing any organization can do to protect against password reuse attacks is to enable some type of multifactor authentication, particularly for services such as VPNs, SSH servers and web/cloud-based email services, which are reachable from the internet."