The Secure Shell (SSH) network protocol allows the remote connection of computers and devices. The portable version of OpenSSH is implemented in almost all Linux distributions, and hackers are constantly looking to maintain persistence in compromised Linux servers usually by using a backdoor that is installed on the OpenSSH server and client.
Today, cybersecurity researchers have discovered 12 new OpenSSH backdoor families that haven’t been seen before.
These new backdoor families keep popping up on cyberspace because OpenSSH code is freely available. This fact gives hackers numerous possibilities to build backdoored versions. Furthermore, OpenSSH allows hackers to stay undetected.
New OpenSSH backdoors have been discovered in 21 different OpenSSH malware families, 12 of them haven’t been seen before.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
The new backdoor implementations differ in complexity and the exfiltration techniques for stolen SSH credentials are creative. Many of the analyzed malware samples presented similarities, being the result of modifying and recompiling the original portable OpenSSH source code.
Nearly half of them contained methods to push the credentials in addition to storing them to a local file, and some would exfiltrate the credentials via email.
Researchers found that the malware operators are looking into ways to easily connect back to the compromised devices. The hackers also attempt to Trojanize OpenSSH daemon functions that prevent root logins, to erase traces on the system, and to bypass logging functionality.
Among the new backdoors there are four notable features:
Chandrila – can receive commands via the SSH password
Bonadan – crypto-currency mining
Kessel – bot functionality
Kamino – similar with DarkLeech
Researchers think that hackers employed the same person to deal with Linux servers, or that they might have bought the backdoor from underground markets.
During the same investigation, the researchers discovered that another backdoor, named Mimban, was still active and that its operators would log in manually to compromised machines.
For now, it is difficult to determine the infection vector used to install these OpenSSH backdoors into systems.
Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor the cybersecurity world. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.