Full Report
Overview AhnLab SEcurity intelligence Center (ASEC) is using a honeypot to respond to and categorize brute-force and dictionary attacks that target poorly managed Linux SSH servers. This post covers the status of the attack sources identified in logs from the second quarter of 2025 and the statistics of attacks performed by these sources. It also […]
Analysis Summary
# Tool/Technique: P2PInfect (Worm)
## Overview
P2PInfect is a worm malware family frequently observed targeting poorly managed Linux SSH servers through brute-force and dictionary attacks, according to Q2 2025 honeypot data. It accounted for 50.0% of observed attacks.
## Technical Details
- Type: Malware family (Worm)
- Platform: Linux
- Capabilities: Exploits weak SSH credentials to gain access, subsequently installing malware.
- First Seen: Q2 2025 (Based on the monitoring period provided)
## MITRE ATT&CK Mapping
*Note: Based on observed behaviors (brute-forcing SSH and gaining access).*
- T1110 - Credential Access
- T1110.001 - Brute Force
- T1078 - Valid Accounts
- T1078.003 - Local Accounts
- T1021 - Remote Services
- T1021.2 - SSH
## Functionality
### Core Capabilities
- Exploiting poorly managed Linux SSH servers via brute-force or dictionary attacks.
- Gaining administrative control upon successful login.
- Installing subsequent malware payloads.
### Advanced Features
- Details on advanced features specific to P2PInfect are not explicitly detailed beyond successful initial compromise and installation, but its identification as a 'Worm' suggests attempts at lateral movement or self-propagation post-compromise.
## Indicators of Compromise
- File Hashes:
- MD5: `16d1dfa35d64046128290393512171ce`
- MD5: `35d79027834a3b6270455f59b54f2e19`
- File Names: Not explicitly listed, but related downloads are shell scripts (`.sh`).
- Registry Keys: Not applicable (Linux).
- Network Indicators:
- Download URLs containing potential payloads or scripts: `hxxps[:]//0x0[.]st/8VDs[.]sh`, `hxxps[:]//raw[.]githubusercontent[.]com/eooce/sing-box/main/sing-box[.]sh`
## Associated Threat Actors
- Not explicitly named, but associated with automated attacks targeting vulnerable Linux SSH infrastructure.
## Detection Methods
- Behavioral detection focusing on repeated failed SSH login attempts (brute-forcing).
- Signature-based detection targeting the file hashes or specific network patterns associated with payload delivery.
- YARA rules focusing on the presence of the downloaded scripts or binaries.
## Mitigation Strategies
- Enforce strong, unique passwords for all user accounts, especially administrative ones.
- Implement SSH key-based authentication instead of relying solely on passwords.
- Limit SSH access via firewall rules (e.g., only allow access from known IPs).
- Implement rate-limiting or intrusion prevention systems (IPS) to detect and block brute-force attempts.
## Related Tools/Techniques
- Tsunami (also responsible for 38.5% of attacks observed in the same period).
---
# Tool/Technique: Tsunami (Malware)
## Overview
Tsunami is a form of malware frequently observed targeting poorly managed Linux SSH servers through brute-force and dictionary attacks. It accounted for 38.5% of the observed attacks in Q2 2025.
## Technical Details
- Type: Malware family
- Platform: Linux
- Capabilities: Inferred to be related to initial access via SSH compromise and subsequent system takeover/payload installation.
- First Seen: Not specified, but active in Q2 2025.
## MITRE ATT&CK Mapping
*Note: Based on observed initial access vectors.*
- T1110 - Credential Access
- T1110.001 - Brute Force
- T1078 - Valid Accounts
- T1078.003 - Local Accounts
- T1021 - Remote Services
- T1021.2 - SSH
## Functionality
### Core Capabilities
- Automated compromise of Linux SSH services using weak credentials.
- Installation of secondary malware/tools post-compromise.
### Advanced Features
- Not detailed in the context provided.
## Indicators of Compromise
- File Hashes: Not specifically attributed to Tsunami in isolation from P2PInfect instances, though overlaps are likely given the environment.
- File Names: Not specified.
- Registry Keys: Not applicable (Linux).
- Network Indicators: Likely utilizes similar C2 infrastructure or payload delivery mechanisms as P2PInfect attacks observed.
- Behavioral Indicators: Repeated failed login attempts followed by system reconnaissance and file downloads/execution.
## Associated Threat Actors
- Not explicitly named.
## Detection Methods
- Monitoring for high volumes of failed SSH authentication attempts.
- Monitoring for processes executing downloaded scripts from untrusted external sources after successful SSH login.
## Mitigation Strategies
- Regularly audit and change default or weak credentials.
- Ensure SSH daemon configurations (sshd_config) enforce secure settings (e.g., disabling root login, disabling password auth if possible).
- Deploy intrusion detection systems focused on credential compromise.
## Related Tools/Techniques
- P2PInfect.
---
# Tool/Technique: Brute-Force/Dictionary Attacks Against SSH
## Overview
This technique describes the initial stage of compromise targeting Linux SSH deployments exhibiting weak credentials or inadequate security controls. Attack sources use automated login attempts to gain initial access. These methods accounted for the majority of the observed attack traffic.
## Technical Details
- Type: Technique
- Platform: Linux (Primarily, but applicable to any service using dictionary attacks)
- Capabilities: Rapidly testing a list of common or breached passwords against known usernames (dictionary attack) or systematically testing all combinations (brute-force attack) for SSH authentication.
- First Seen: Historical/Ongoing
## MITRE ATT&CK Mapping
- T1110 - Credential Access
- T1110.001 - Brute Force
- T1078 - Valid Accounts
- T1078.003 - Local Accounts
- T1021 - Remote Services
- T1021.2 - SSH
## Functionality
### Core Capabilities
- Scanning environments for open SSH ports (port 22 default).
- Iteratively attempting to log in using common user/pass pairs or incremental password guessing.
### Advanced Features
- Scanning for targets precedes credential testing.
- Successful breaches lead to information gathering and malware installation.
## Indicators of Compromise
- File Hashes: N/A (Focus is on the access method itself)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: High volume of TCP connection attempts to port 22 followed by authentication failure messages in SSH logs.
- Behavioral Indicators: Automated, high-frequency login attempts from a single source IP.
## Associated Threat Actors
- Wide variety of automated botnets and attackers targeting easily discoverable infrastructure.
## Detection Methods
- Log analysis for rapid successive authentication failures directed at user accounts.
- Monitoring network traffic for unusual connection patterns to TCP port 22.
## Mitigation Strategies
- Implement fail2ban or similar tools to dynamically block IPs exhibiting brute-force behavior.
- Enforce complex password policies and MFA where possible.
- Change the default SSH listening port.
## Related Tools/Techniques
- SSH scanning tools used to identify vulnerable hosts.