Keeping Cybercrime at Bay: The Perils of Weak Passwords on Linux Servers

Beware bad passwords as attackers co-opt Linux servers into cybercrime

The Rise of Linux Server Attacks

The cybersecurity landscape is constantly evolving, and cybercriminals are always finding new ways to exploit vulnerabilities. Recent reports from researchers at Korean anti-malware business AhnLab highlight a concerning trend of cybercriminals co-opting Linux shell servers for their nefarious activities. These attacks involve hackers guessing their way into Linux servers by exploiting weak passwords, and then using these servers as launching points for further attacks, often against innocent third parties.

The Consequences of Co-opted Servers

The payloads unleashed by these cybercriminals can have serious consequences. Not only can they result in financial loss due to unexpected electricity bills, but they can also tarnish the reputation of the server owner. When a server is used in a cybercrime, it can lead to investigations that point fingers at the server owner and their network. In some jurisdictions, there are even laws that hold individuals responsible for leaving their servers inadequately secured.

The Inadequacy of Password Protection

The attackers behind these Linux server attacks are exploiting the fact that many servers have weak password protection. They are using the not-very-secret and not-at-all-complicated technique of guessing common username/password combinations to gain unauthorized access. While well-secured SSH servers require additional logon security based on cryptographic keypairs or two-factor authentication (2FA) codes, servers set up in a hurry or with preconfigured settings often have default insecure configurations.

The Danger of Weak Passwords

AhnLab researchers noted that even simple password dictionary lists still yield usable results for these attackers. They have found dangerously predictable username/password combinations, such as “root/abcdefghi,” “root/123@abc,” and “weblogic/123.” These examples highlight the need for stronger and more unique passwords, as well as regular password updates.

The False Sense of Security

One particularly interesting combination identified by the researchers is “nologin/nologin.” While this combination may seem secure, it is essential to remember that the best intentions often end in forgotten actions or incorrect outcomes. In the case of an account named “nologin,” it is meant to be self-documenting, drawing attention to the fact that it is not available for interactive logins. However, if it is secure in name only, it can give the server owner a false sense of security.

The After-Effects of Attacks

The attackers in these Linux server attacks seem to have three main objectives. First, they install a DDoS attack tool called Tsunami, which involves overwhelming a victim’s online service with time-wasting requests that consume server and network resources. Second, they install a cryptomining toolkit called XMRig, which reduces the server’s processing capacity and increases electricity consumption. Third, they install a zombie program called PerlBot or ShellBot, which allows the attackers to issue further commands to compromised servers, including installing additional malware.

The Need for Vigilance

To protect against these attacks, there are several key steps that server owners can take. First and foremost, password-only SSH logins should be disabled. It is recommended to switch to public-private key authentication or use regular same-every-time passwords alongside strong password protection measures, such as two-factor authentication.

Regular Review of Security Measures

Regularly reviewing the public keys that the SSH server relies on for automated logins is crucial. Additionally, reviewing the SSH server configuration is important to ensure that the server’s security has not been compromised by previous attackers. Common tricks used by attackers include enabling root logins directly to the server, listening on additional TCP ports, or activating password-only logins that are typically disallowed.

Using Monitoring Tools

It is also essential to use monitoring tools to detect any unusual activity on the server. High bursts of network traffic to unexpected destinations may indicate data exfiltration or attempted DDoS attacks. Consistently high CPU load could be a sign of rogue cryptomining or cryptocracking efforts, which can increase electricity consumption and reduce processing capacity. Sophos products, for example, provide detection for the malware mentioned by AhnLab researchers, allowing users to check their logs for any sign of compromise.

Conclusion

The co-opting of Linux servers into cybercrime is a grave concern and highlights the importance of strong server security measures. Password protection alone is insufficient, and server owners must implement additional security measures such as public-private key authentication and regular reviews of server configurations. Vigilance and the use of monitoring tools are also critical to detect any unauthorized activity and prevent further harm. By prioritizing server security, individuals and organizations can protect themselves and prevent their servers from being used in cybercriminal activities.