CSO Online reports on how the GoScanSSH malware is targeting Linux operating systems but somehow manages to avoid government and military operated servers:

For the initial infection, the malware uses more than 7,000 username/password combinations to brute-force attack a publicly accessible SSH server. GoScanSSH seems to target weak or default credentials of Linux-based devices, honing in on the following usernames to attempt to authenticate to SSH servers: admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.

Those and other credential combinations are aimed at specific targets, such as the following devices and systems: Raspberry Pi, Open Embedded Linux Entertainment Center (OpenELEC), Open Source Media Center (OSMC), Ubiquiti networking products, jailbroken iPhones, PolyCom SIP phones, Huawei devices, and Asterisk systems.

After a device is infected, the malware determines how powerful the infected system is and obtains a unique identifier. The results are sent to a C2 server accessed via the Tor2Web proxy service “in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.”

The researchers determined the attack has been ongoing for at least nine months — since June 2017 — and has at least 250 domains; “the C2 domain with largest number of resolution requests had been seen 8,579 times.”

This sounds like a particularly nasty type of attack, but one that ought to be fairly simple to prevent. Considering it is easy to determine what the target system types are, and how the malware functions, deploying the right defense strategy is actually quite straightforward.

A quick couple of very simplistic examples immediately come to mind:

  1. Delete all unnecessary users from the above list or rename unneeded ones. In most cases guest, oracle, osmc, pi, test, ubnt, ubuntu, and user are unnecessary and can be removed. If they need to be kept, as I said, rename the accounts.
  2. For all the needed accounts, ensure ssh access is turned off. There is never a reason to SSH directly as root. This is the entire point of the sudo and su commands – login as another user and then use one of those commands to perform functions as root or other users.

There are plenty of other methods for combating this attack to make it more difficult to be breached. But simple actions like the above are often overlooked.

Talos provided both an IP blacklist and a domain blacklist that the malware uses to determine if it should continue attempts to compromise the system. Some of those domains include: .mil, .gov, .army, .airforce, .navy, .gov.uk, .mil.uk, govt.uk, .police.uk, .gov.au, govt.nz, and .mil.nz.

If the system or device is on neither set of blacklists, Talos “believes the attacker then compiles a new malware binary specifically for the compromised system and infects the new host, causing this process to repeat on the newly infected system.”

That is an interesting and novel approach to avoiding governmental systems. It is not unprecedented but definitely not a method often seen.