#sshstalker

Linux issues do not often pop up in my cyber news feeds, for the simple fact that there rarely are any. There might be a cross platform mention from time to time, but that’s about it. And to be honest, the article that headed my research into this topic was buried somewhat in a list of others, and is dated from a couple weeks ago. I happened upon it; it wasn’t on my dashboard. All that said, Linux operating systems provide the backbone for many enterprises and platforms, and a vulnerability in them bears the same cause for concern as in other OS’s, if not more simply because of the rarity.

Two weeks ago, The Hacker News reported on Flare’s research into a previously undocumented Linux botnet operation dubbed SSHStalker. The attack combines 2009-era Internet Relay Chat (IRC) botnet tactics with modern mass-compromise automation. Now this may sound like a non-issue. After all, who’s still using an OS dating back to 2009? But this attack is deployed in such a way as to exploit legacy CVE’s that remain in the kernel of Linux based systems, a foundational part of the code that is part and parcel of Linux’s integral backwards compatibility. Flare describes SSHStalker’s tactics as being low value against modern stacks, but effective against 'forgotten' infrastructure and long-tail legacy environments.

They cross-referenced this attack (after attracting it through a honeypot scheme as part of normal threat detection monitoring) to see if it matched any previously recorded incursion and found its behavior to be distinct. It maintained persistent access without executing any observable impact operations, despite having the capability to launch DDoS attacks and conduct cryptomining. There is confidence that this is more of a staging, testing, or strategic access retention for future use rather than an active attack campaign. Hence the ‘stalker’ nomenclature.

Persistence is maintained through a ‘keep-alive’ command, a red flag to me as someone who uses Linux in analysis. ‘Keep-alive’ is a command for keeping a connection port open with regular refreshing; every minute, in this instance. It’s not always malicious. It’s often found in logs over the course of an active session, for instance. A ping between host and client to make sure both ends are still there. But it should be a consequence of that active session, not a root executable from the get go. Another of SSHStalker’s hallmarks is the execution of C program files to clean SSH connection logs and erase traces of malicious activity from them to reduce forensic visibility. The vector of attack with SSHStalker is one of brute force, rather than stealth. Flare’s research team discovered that it leaves a fairly obvious trail behind it once one knows what they’re looking for, and has detailed the structure and stages of its behavior in their article.

The danger of this attack is that it can lead to command-and-control of the kernel through the few legacy artifacts that may be present, which subsequently gives total access and operational control to every aspect of a system’s functions. This isn’t an actor looking to create zero-days, but is ‘demonstrating strong operational discipline in mass compromise workflows, infrastructure recycling, and long-tail persistence across heterogeneous Linux environments’, according to Flare.

They go on to point out that in today’s digital environment, the relevance of exploiting the legacy CVE’s is low for fully maintained infrastructure, but not zero. Meaning it affects only a small percentage of Linux servers. But their research scans uncovered upwards of seven thousand compromised target IP’s in close timeline proximity to their honeypot, half of which were here in the US, and were heavily dominated by cloud hosting providers. That indicates influence over supply chains as opposed to individuals. The exploit kit is open source, and has a lower skill level requirements, giving it a wider range of utility for ‘mid-tier’ actors. I suspect what we’re seeing here is the beginning of a malware-as-a-service. It’ll be worth keeping an eye out for it.

The SSHStalker botnet attacks older Linux servers with automated SSH brute-force and IRC-based command-and-control, deploying cryptominers and distributed attack modules across cloud environments.

Source: Flare