RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2024/01/11 18:53:52

SSH

SSH (Secure Shell) is an application-layer network protocol that can be used to remotely manage the operating system and tunnel TCP connections, such as file transfers. The SSH protocol is similar in functionality to the Telnet and rlogin protocols. However, its distinctive feature is the encryption of all traffic, including transmitted passwords. Encryption algorithms in SSH can be different, since this protocol provides for the choice of different encryption algorithms. For most network operating systems, there are SSH clients and SSH servers.

Content

SSH serves as a guarantee of secure transmission in an unprotected environment of any other network protocol, thanks to which it is possible to remotely work on a computer through a command shell, as well as transmit video or audio stream over an encrypted channel.

Currently, there are several versions of the SSH protocol that differ from each other in general operating schemes and encryption algorithms. The most popular now is SSH version two. Smaller versions of the protocol are unsafe by modern standards, as they have several very dangerous gaps.

2024: New zombie network discovered. Under threat of infection 700 thousand. IoT devices and Linux servers in Russia

Akamai researcher Steve Kupchik published a report [1] about a variant of the Mirai zombie network he discovered, which he called NoaBot. The new version is distinguished from the original malware, the source code of which was published in 2016 by the distribution using the secure remote control protocol SSH and the built-in cryptominer XMRig, which may use its own mining pool. Timestamps discovered by the researcher in the worm code date its development to January 2023.

NeoBot activity during the past year (Akamai data)

NoaBot, like Mirai, is a zombie worm that targets infecting IoT devices based on, Linux such as home, routers video cameras servers , and Linux based with a remote SSH connection enabled and a weak password for it. It uses a dictionary password matching attack to spread. However, Mirai's source code was collected by another compiler other than GCC, so antivirus tools do not define it as Mirai. Moreover, now a vulnerability has been discovered in the SSH implementation, which even received its own name - Terrapin[2]. It allows, by manipulating the sequence of packets, to force the SSH server or client to lower the encryption level and even disable its protection against attacks.

Moreover, according to Shadowserver statistics[3]The[4], in Russia, up to 700 thousand devices are found that may be susceptible to this attack. This is the fourth place in the world in terms of distribution of this application - only the United States (3.3 million), China (1.3 million) and Germany (1 million) are ahead in terms of the number of installations. Fortunately, until support for Terrapin is implemented in NoaBot, however, if this happens, the number of infections of this malware will greatly increase. In the meantime, its distribution is only 800 cases discovered by Akamai.

Statistics of vulnerable SSH servers in Russia (Shadowserver data)

Another feature of NoaBot is that it hides very well. In particular, even in the built-in miner XMRig, neither the address of the cryptocurrency recipient nor the mining pool are indicated. Steve Kupchik believes that the malware developer has implemented its own pool, which greatly complicates the investigation of the incident. Since now, by all indications, crypto-zyme is over, it is highly likely that developers of such crypto-miners will be activated.

To protect against such zombie worms, it is recommended not to leave default passwords on Linux devices and make them quite complex. In addition, you need to install updates for devices and, if possible, monitor their behavior using firewalls.

2017: Criminals massively scan sites for closed SSH keys

Cybercriminals massively scan WordPress websites for directories containing closed SSH keys in order to hack them with accidentally compromised credentials[5].

SSH authentication can be carried out both according to the classic model (using a login and password) and using keys. In the second case, the administrator generates a key pair (private and public keys). The private key is placed on the server to be authenticated. In turn, the user saves it in the local SSH configuration file.

On October 17-18, experts from the American information security company Wordfence recorded[6] an unexpected surge in site scans for folders with specific names. Judging by the names of the folders, those who scanned were interested in closed SSH keys. In particular, they searched for directories mentioning "root," "ssh" or "id_rsa".

According to Wordfence founder Mark Maunder, this may indicate that cybercriminals have made progress in finding private keys and increased activity. There is probably a vulnerability, or owners of WordPress sites make an operating error that makes private SSH keys available to third parties.

Links

SSH Protocol Description

Notes