Microsoft: Linux Systems and IoT Devices Attacked by Trojanized OpenSSH Campaign

The threat actors initiate the attack by attempting to brute force various credentials on misconfigured internet-facing Linux devices.

researchers have uncovered a sophisticated cyberattack targeting -based systems and Internet of Things (IoT) devices. The attack, which involves deploying a patched version of OpenSSH, is aimed at hijacking SSH credentials and installing cryptomining malware via cryptojacking.

Cryptojacking, the unauthorized use of computing resources to mine cryptocurrency, has seen a surge in recent years. Cybercriminals have built an economy around attack tools, infrastructure, and services to generate revenue from a wide range of vulnerable systems, including IoT devices.

Brute-Force Attack on Misconfigured Linux Devices

The threat actors initiate the attack by attempting to brute force various credentials on misconfigured internet-facing Linux devices. Upon compromising a target device, they disable shell history and retrieve a compromised OpenSSH archive from a remote server. The archive contains benign OpenSSH source code alongside several malicious files. After installing the payload, a backdoor binary that matches the target device's architecture is run, enabling the threat actors to perform subsequent malicious activities and deploy additional tools on affected systems.

Custom Backdoor Deploys Open-Source Rootkits

Once running on a device, the backdoor tests access to /proc to determine whether the device is a honeypot. If it can't access /proc, it determines the device is a honeypot and exits.

The /proc directory in Linux is a virtual filesystem that provides a mechanism for the kernel (the core of the operating system) to send information to processes (running programs). It's often referred to as a process information pseudo-file system. It doesn't contain ‘real' files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc).

If it can access  /proc, the attack exfiltrates information about the device, including its operating system version, network configuration, and the contents of /etc/passwd and /etc/shadow over email to a hardcoded address.

To ensure persistent SSH access to the device, the backdoor appends two public keys to the authorized keys configuration files of all users on the system. The backdoor obscures its activity by removing records from Apache, nginx, httpd, and system logs that contain the IP and username specified as arguments to the script.

Patching OpenSSH Source Code

The backdoor uses the Linux patch utility to apply the patch file ss.patch, which is embedded in vars.sh, to the OpenSSH source code files included in its package. Once the patches are applied, the backdoor compiles and installs the modified OpenSSH on the device.

The backdoor runs a secondary payload embedded in the shell script vars.sh, which is a slightly modified version of ZiggyStarTux, an open-source IRC bot based on the Kaiten malware. Among its features is executing bash commands issued from the C2 and possessing distributed denial of service (DDoS) capabilities.

Mitigation and Protection Guidance

Microsoft recommends hardening internet-facing devices against attacks, ensuring secure configurations for devices, maintaining device health with updates, using least-privileges access, and updating OpenSSH to the latest version when possible. Adopting a comprehensive IoT security solution such as Microsoft Defender for IoT and using security solutions with cross-domain visibility and detection capabilities like Microsoft 365 Defender are also advised.