Security researchers have recently uncovered a sophisticated attack campaign that targets Linux-based systems and Internet of Things (IoT) devices. According to a recent blog post by Microsoft, the attackers leveraged a patched version of OpenSSH to compromise devices and install cryptomining malware.
The attackers utilized a subdomain belonging to a Southeast Asian financial institution as a command and control (C2) server, forming an established criminal infrastructure. Through a backdoor, various tools including rootkits and an IRC bot were deployed to hijack device resources for cryptocurrency mining.
One of the key tactics employed in this attack campaign was the installation of a modified version of OpenSSH. This allowed the threat actors to gain persistent access, intercept SSH credentials, move laterally within networks, and mask malicious SSH connections. The modified OpenSSH version was designed to mimic a legitimate server, making it harder to detect.
The attack chain began with the brute-forcing of credentials on misconfigured internet-facing Linux devices. Once compromised, the attackers proceeded to download and install the malicious OpenSSH package, providing them with the necessary access and credentials to carry out their activities.
To further evade detection, the backdoor deployed open-source rootkits like Diamorphine and Reptile to conceal its presence on the compromised systems. Additionally, communication with a remote command and control server was established through an IRC bot named ZiggyStarTux, enabling the threat actors to execute commands and launch distributed denial of service (DDoS) attacks.
In response to this threat, Microsoft has issued a series of mitigation recommendations to safeguard devices and networks. These include ensuring secure configurations for internet-facing devices, keeping firmware and patches up-to-date, utilizing secure VPN services for remote access, and implementing comprehensive IoT security solutions.
This discovery comes on the heels of Microsoft’s recent announcement regarding the integration of OpenAI technology into its services, showcasing the company’s commitment to advancing technology while also addressing emerging cybersecurity threats.