A worm has been quietly building a botnet for the past year. It breaks into Linux SSH servers with weak authentication. Akamai dubbed it NoaBot.
The zombie servers then mine cryptocurrency. In today’s SB Blogwatch, we urge a switch to key-based auth.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Doge party.
What’s the craic? Lucian Constantin reports—“NoaBot botnet deploys cryptominer”:
“Low-hanging fruit”
A new botnet has been slowly growing over the past year by brute-forcing SSH logins and deploying cryptomining malware on Linux servers. The main bot client is based on the old Mirai worm whose source code has been available for years. … The botnet has grown [Since] January 2023. … Akamai has recorded over 800 unique IP addresses from around the world that showed signs of NoaBot infections with 10% of them based in China.
…
However, SSH dictionary attacks — where the attacker will test predefined pairs of usernames and passwords — are nothing new and are also easy to defend against by following best security practices like using SSH key-based authentication and disabling password authentication. This means that the servers compromised by NoaBot are likely low-hanging fruit from a security perspective.
Ah. Poor passwords—what else is new? Joe Warminsky and Jonathan Greig add—“Yet another Mirai-based botnet”:
“Malicious activities”
NoaBot … has various quirks that complicate analysis of the malware and point to highly-skilled threat actors. … The Akamai researchers said that … the hackers take great care to hide the wallet address where the cryptominer sends mined coins. And other aspects of the campaign are difficult to size up: “The malware obfuscation and custom code show a high level of operation security.”
…
Mirai variants proliferated after its original U.S.-based creators published the source code in 2016. Originally used for distributed denial-of-service (DDoS) attacks, Mirai eventually became a tool for other malicious activities.
Horse’s mouth? Stiv Kupchik—“You Had Me at Hi”:
“Arbitrary internet SSH access ”
The NoaBot botnet has most of the capabilities of the original Mirai botnet (such as a scanner module and an attacker module, hiding its process name, etc.), but we can also see many differences from Mirai’s original source code. First and foremost, the malware’s spreader is based in SSH, not based in Telnet like Mira.
…
Once a connection is established, the botnet simply sends the string “hi”. … Why does it bother sending “hi”? … That’s a mystery.
…
Restricting arbitrary internet SSH access to your network greatly diminishes the risks of infection. In addition, using strong … passwords also makes your network more secure.
Did someone say, “Low-hanging fruit”? morserer counts the ways:
Spreads via password authenticated SSH, which is the first thing you disable when you set up an SSH server.
Doesn’t hide its CPU usage.
Does a few mildly crafty things to prevent reverse engineering.
…
Overall this “worm” just seems like it’s picking low-hanging fruit. This doesn’t seem serious at all, nor difficult to detect.
Disable passwords—got it. But what should we do instead? Here’s Narcocide:
Don’t use passwords at all. Disable them in the sshd config and use keys instead.
Why are all these Linux servers so badly configured? It depends what you mean by “Linux servers,” thinks jjmorris2000:
The problem is mostly IoT devices. Many of these devices run some kind of Linux, allow for outside connections via SSH, and basically have as much thought put into security by their devs as a door without a knob. And the people who own them often don’t even know that they’re vulnerable because someone set the admin password to abc123 at the factory and nobody ever changed it.
Some wags are calling this a “zero day”—is that fair? Mononymous thinks not:
This isn’t a “zero day,” or any other kind of an exploit. It’s just getting in with weak passwords. Why is anyone using passwords on SSH? We stopped doing that a long time ago.
…
There’s no “previously unknown exploit” here. It’s been known for many years that if you use a guessable password someone might guess it. … Silly to call weak/default passwords a “zero day.”
And what of the miner? citizencoyote just shrugs:
I have yet to hear a real, honest use case for cryptocurrency—outside of criminal enterprises and get rich quick scams.
Meanwhile, moose_man eyerolls, furiously:
Of course it’s a crypto mining worm. Crypto is poison.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Andrei J Castanha (via Unsplash; leveled and cropped)
Recent Articles By Author