Full Report
Overview AhnLab SEcurity intelligence Center (ASEC) conducts response and classification of brute force or dictionary attacks targeting poorly managed Linux SSH servers using honeypots. This report will cover the status of attack sources identified in the first quarter of 2025 based on logs, as well as statistics on attacks performed by these attack sources. Furthermore, […]
Analysis Summary
# Tool/Technique: P2PInfect
## Overview
P2PInfect is a worm malware identified in attacks targeting poorly managed Linux SSH servers, frequently utilizing brute force or dictionary attacks for initial access. It was the most dominant malware observed in these attacks during Q1 2025 according to AhnLab honeypot logs.
## Technical Details
- Type: Malware family (Worm)
- Platform: Linux SSH Servers
- Capabilities: Gains access via brute force/dictionary attacks on poorly managed SSH servers, subsequently installs and propagates as a worm.
- First Seen: Q1 2025 (Based on report context)
## MITRE ATT&CK Mapping
*Note: Specific detailed mappings were not provided in the context, but standard mappings for initial access and worm behavior are inferred.*
- **T1110 - Brute Force**
- T1110.001 - Password Guessing: Network Service
- **T1595 - Active Scanning**
- **T1078 - Valid Accounts**
## Functionality
### Core Capabilities
- Exploits weaknesses in Linux SSH server credentials (brute force/dictionary attacks).
- Installs as malware upon successful initial access.
- Operates as a worm/bot, likely scanning for and attacking other vulnerable systems.
### Advanced Features
- *Details regarding advanced features (e.g., persistence, evasion) were not specified, beyond its primary function as a highly prevalent worm in SSH attacks.*
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context]
- Registry Keys: [Not applicable to typical Linux malware artifacts unless targeting specific configuration files]
- Network Indicators: [Unknown C2 or specific network patterns beyond targeting SSH ports]
- Behavioral Indicators: Execution of malware installation commands post-successful SSH login. System engaging in scanning/attacking other external hosts via SSH.
## Associated Threat Actors
- [Not explicitly named, but associated with automated worm activity targeting vulnerable infrastructure]
## Detection Methods
- Signature-based detection: Detection of P2PInfect binaries.
- Behavioral detection: Monitoring for successful SSH logins followed immediately by suspicious system configuration changes or outbound scanning/connection attempts characteristic of worm activity.
- YARA rules: [Not available in the context]
## Mitigation Strategies
- Implement strong, unique passwords for all SSH accounts (mitigating brute force).
- Enforce Multi-Factor Authentication (MFA) for SSH access if possible.
- Limit SSH access via firewall rules to known, trusted IPs.
- Regularly audit and patch Linux systems.
## Related Tools/Techniques
- Tsunami (Observed accounting for 25.4% of attacks during the same period)
***
# Tool/Technique: Tsunami
## Overview
Tsunami is the second most prevalent malware targeting poorly managed Linux SSH servers identified in the Q1 2025 honeypot logs, accounting for 25.4% of attacks. It is often deployed following successful brute force or dictionary attacks.
## Technical Details
- Type: Malware family (Likely Bot/DDoS component, based on common Tsunami capabilities)
- Platform: Linux SSH Servers
- Capabilities: Initial access via compromised credentials, subsequent malware execution and operation (likely contributing to DDoS or scanning activities).
- First Seen: Q1 2025 (Based on report context)
## MITRE ATT&CK Mapping
*Note: Specific detailed mappings were not provided in the context, but standard mappings for initial access and botnet participation are inferred.*
- **T1110 - Brute Force**
- T1110.001 - Password Guessing: Network Service
- **T1078 - Valid Accounts**
## Functionality
### Core Capabilities
- Installation on compromised Linux systems via initial SSH access.
- Participation in distributed attack campaigns (implied by its classification alongside P2PInfect).
### Advanced Features
- *Specific advanced features were not detailed in the provided context.*
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context]
- Registry Keys: [Not applicable]
- Network Indicators: [Unknown C2 or specific protocols]
- Behavioral Indicators: Confirmed installation logs following successful SSH login attempts.
## Associated Threat Actors
- [Not explicitly named]
## Detection Methods
- Signature-based detection: Detection of Tsunami binaries.
- Behavioral detection: Detection of systems engaging in high-volume outbound traffic or scanning typical of botnet participation post-initial access.
- YARA rules: [Not available in the context]
## Mitigation Strategies
- Enforce strong password policies and MFA for SSH.
- Use intrusion detection systems (IDS) to monitor for known Tsunami network patterns if available.
- Restrict outbound connections from critical servers if they should not be initiating external connections.
## Related Tools/Techniques
- P2PInfect (The high-ranking malware observed in the same attack vector)