Nonetheless, to this point the botnet hasn’t performed a lot aside from sustaining persistence on contaminated machines. It has the power to launch DDoS (distributed denial of service) assaults and conduct cryptomining, however hasn’t performed something but to monetize its entry. That, Flare says, suggests both the operator remains to be staging the botnet’s infrastructure, is in a testing part, or is sustaining entry for future use.
The excellent news for CSOs, in line with Flare cybersecurity researcher Assaf Morag, is that at this level there’s one approach to cease this explicit botnet chilly: Disable SSH password authentication to Linux machines and change it with SSH-key primarily based authentication, or conceal password logins behind a VPN.
This variation ought to be accompanied by implementation of SSH brute-force fee limiting, monitoring who’s making an attempt to entry internet-connected Linux servers, and limiting distant entry to servers to particular IP ranges.
Nonetheless, Morag cautioned, proper now SSHStalker is searching for Linux servers with weak SSH safety, however at any second, the operator could add one other assault vector, similar to an unpatched server vulnerability or misconfiguration.
Safety fundamentals are key
Chris Cochran, SANS Institute area CISO and VP of AI safety, stated SSHStalker is a reminder that security fundamentals still decide the fight.
“Sure, AI is altering the risk panorama. Sure, automation is accelerating assaults. However this marketing campaign proves one thing less complicated and extra uncomfortable: Outdated methods nonetheless work,” he stated. “If I’m speaking to a different CISO as we speak, my recommendation isn’t ‘purchase extra AI.’”
