HQ/EMEAFind out how we can help your business
A newly discovered cybercriminal campaign uses the Tsunami botnet to target poorly managed Linux SSH servers. The threat actors distribute the botnet alongside malware payloads such as XMRig miner, Log Cleaner, and ShellBot to execute DDoS and cryptomining attacks.
These miscreants utilise dictionary attacks to log into SSH servers that do not have proper security management protocols. Then, the attackers run a command that operates a Bash script to download and run various malware strains after successful log-in.
This Bash script could execute various preliminary commands to take control of compromised systems and install a backdoor SSH account.
The Tsunami botnet operators have utilised multiple malicious tools that could operate other attack processes.
The attackers used ShellBot, which uses the IRS protocol, like the Tsunami botnet. The ShellBot supports several malicious processes, such as port scanning, basic DDoS attacks, and reverse shells.
In addition, the attackers also used the Log Cleaner tool that enables them to delete or modify specific logs in Unix, BSD, and Linux server environments. This tool allows the threat actors to launch attacks without alerting AV solutions.
There is a ping6 file, an ELF malware that the actors could utilise to acquire access to a shell with root privileges. Other researchers also noticed that these attacks include the XMRig CoinMiner, which the attackers installed to mine cryptocurrency on the infected systems.
Tsunami, also known as Kaiten, is used by many malicious attackers as the botnet’s source code is publicly available. The notorious 8220 Gang is one such threat group recently found using the botnet, among other tools, in this series of campaigns.
Lastly, the researchers believe that the threat actors consistently use the botnet to complement Mirai when targeting exposed IoT devices.
Cybersecurity experts explained that attacks against poorly managed Linux SSH servers have been rising recently. Therefore, server admins should use passwords challenging to guests to avoid dictionary attacks.
Additionally, they should also change these passwords periodically. Finally, experts recommend that admins employ security programs such as third-party firewalls to restrict an attacker’s access.
