Cisco Talos: GoScanSSH malware targets Linux appliances but avoid government and military servers
Ddos The Cisco Talos team recently discovered a new malware family targeted at vulnerable Linux devices and tried to avoid infecting devices in government and military networks.
This malware family is named “GoScanSSH” and is derived from its main features and functions – encoding in the Go language, scanning for new targets using infected devices, and using the SSH port as an entry point for infection.
The Talos team stated that GoScanSSH’s infection process is relatively complex and is different from the typical Internet of Things botnet Bots (an auto-run Trojan that can execute external commands). It seems to be only looking for a foothold within the organization’s internal network and trying to avoid government and military networks (GoScanSSH contains two blacklists: an IP blacklist and a domain blacklist to exclude specific sites during the infection process. ).
GoScanSSH’s goals are obviously those publicly accessible Linux devices that have the SSH port service turned on. In the initial infection, it uses a list of words containing more than 7000 username and password combinations to attempt brute force SSH authentication.
Usernames used by GoScanSSH include admin, guest, Oracle, osmc, pi, root, test, ubnt, Ubuntu, and user. If these SSH ports are configured to use default credentials or weaker credentials, they will be vulnerable to GoScanSSH infection.
A typical GoScanSSH infection process is detailed below:
- Randomly select an IP address on the infected device;
- Check whether the IP address is on the IP blacklist.
- Scan this IP address on port 22 to find an open SSH port;
- If this IP address has an open SSH port, GoScanSSH will run a reverse DNS lookup to see if the IP address hosts a website;
- If the IP address hosts a website, GoScanSSH compares the website’s domain name with the domain’s blacklist. This blacklist includes: .mil, .gov, .army, .airforce, .navy, .gov.uk, .mil.uk, .govt.uk, .mod.uk, .gov.au, .govt. Nz, .mil.nz, .parliament.nz, .gov.il, .muni.il, .idf.il, .gov.za, .mil.za, .gob.es, and .police.uk do this The purpose is to avoid government and military websites;
- If the IP address hosts any website related to government, military or law enforcement, GoScanSSH will switch to a new IP address;
- If the IP address does not host such a site, GoScanSSH will perform the above SSH authentication brute-force cracking;
- If SSH authentication passes, GoScanSSH reports to the C&C server on the dark network (communication via Tor2Web proxy);
- The attacker then manually logs in to the newly discovered device and installs GoScanSSH.
- After GoScanSSH establishes a new foothold, it will return to the first step to find the next goal.
The Talos team stated that they have so far discovered more than 70 unique GoScanSSH malware samples involving multiple versions (eg 1.2.2, 1.2.4, 1.3.0, etc.), indicating that GoScanSSH developers are still Its ongoing development and improvement.
This infection pattern of GoScanSSH makes it look very suitable for installing cryptocurrency mining software because it can automatically scan to discover new targets. But until now, this situation has not occurred.
The Talos team even stated that according to the list of usernames and passwords used by GoScanSSH, the targets it targets are basically IoT devices that do not have the necessary hardware for mining.
The GoScanSSH targets may include the following devices: Open Source Embedded Linux Entertainment Center (OpenELEC), Raspberry Pi, Open Source Media Center (OSMC), Ubiquiti devices using default credentials, Polycom SIP phones using default credentials, Use Huawei devices for default credentials, Asterisk devices using default credentials, etc.
For now, although we do not know what the ultimate goal of GoScanSSH developers is. However, since GoScanSSH deployed in the process, they tried to avoid government and military networks, it really looks like someone is preparing for the invasion of a larger network.
Although it has been active since June 2017, more than 70 unique samples have been deployed and over 250 different C&C servers have been used. But the Talos team found that the number of really infected devices is very small.
According to Cisco’s passive DNS data, the C&C server domain name with the most DNS resolution requests has been observed 8579 times, which is very small compared to the most Internet of Things botnets.
Image: talosintelligence
Despite this, the Talos team recommends that organizations should take the necessary measures to protect their exposed servers on the Internet, change their default credentials before deploying the new system to the work environment, and ensure that these systems are under continuous monitoring.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
