> the malware uses secure shell (SSH) brute force attacks to gain control on target devices.
So basically this is a 254% increase in easily guessed root passwords on systems exposed to the internet.
Microsoft has sounded the alarm on DDoS malware called XorDdos that targets Linux endpoints and servers. The trojan, first discovered in 2014 by security research group MalwareMustDie, was named after its use of XOR-based encryption and the fact that is amasses botnets to carry out distributed denial-of-service attacks. Over …
I'd assumed that, given SSH as root is almost always disabled by default, they were going in as regular users and then trying for sudo. But apparently not: From the report
> It uses a malicious shell script to try various root credential combinations across thousands of servers
Well, that's not going to be terribly effective is it? Banging on a locked door.
Most of the IoT devices running old versions of Linux will be attached to LANs behind a NAT router. This makes it impossible for someone on the Internet to even get to them to try to brute force the root password.
The only exception to this is if the IoT device uses UPnP to knock holes in the firewall and NAT protection that the router provides. But they would be NUTS to open port 22 via UPnP, even if it were possible.
I suppose that it may be possible that they run SSH on a non-standard port, and ask that to be opened via uPnP, but I would be surprised if they even did that, and if they did, it would be a case of guess-the-port before you even start the attack.
Anyway, all sensible people turn UPnP of on their router, don't they?
I monitor inbound intrusion attempts on my home network (I have a full-port redirect to a Linux firewall - which had password login disabled in the SSH config, in case you ask), I noticed an uptick of login attempts (at it's peak it was about 100 a minute, from about half-a-dozen different source addresses) using a variety of user ID and passwords just after the new year. As a precaution, I switched off the port redirect, and I've not needed to turn it back on, so it has remained off. But there was definitely something going on. Not sure if I was being specifically targeted, but that seems a little unlikely.
I had a basic tilt and turn IP camera. A VGA quality service with a MIPS processor.
It was running a cut down version of Linux with some extra blobs to provide the functionality. One of those bits was the Go-ahead server.
Turns out that it had a CRITICAL flaw. If you sent an HTTP request and omitted the initial /, it would send the information requested completely ignoring and password controls. So it was entirely possible to throw together some BASIC on my Pi to extract the configuration file (which was saved in the same place as the UI web pages, thus accessible). This gives you the login passwords and the passwords for the AP and any email or FTP services used. Plus it means you can log in and push your own firmware upgrade to the device.
Okay, granted, these hacks are specific to this type of device (it and all the other branded clones). But if this is an idea of the level of security in the domestic IoT arena, well, I would not be surprised if the world wasn't rife with shitty easily hacked bits of cheap Chinese tech.
I contacted the company asking for the source code. Never heard back, though to be fair I think their entire involvement with the device was sticking their label on the front...
And, yes, uPNP and WPS are disabled around these parts. Anything else is crazy.
"But there was definitely something going on."
I run a custom server on my machine. It uses port 23 (it's a BBS). It's been clobbered more than normal since the end of February. The same idiotic scripts over and over (really, trying "root" works?), just a lot more frequently.
I'm going to go out on a limb and think that it might just be related to the current state of global insanity.
Sounds like what you need is a second fail2ban rule that perma-bans them after 2-3 'blocked 18.104.22.168 SSH' entries in your fail2ban log file. (and maybe an extra unblock magic port-knock sequence, just in case some cron-job on your home machine accidentally triggers it.)
I am a fan of f2b but it cannot deal with massive botnets. That said, it does deal with a lot of the usual suspects because they don't bother with massively distributed IPs because the majority of their targets don't have f2b or anything like it.
f2b is pretty lightweight and keeps the majority of the yobs out. After that you need some funkier stuff.
Botnets rely on speed for initial connect so a few seconds delay can cause them to move on or you can be cruel by allowing an initial connect and slowing everything else down. TCP is a three way handshake: SYN, SYN/ACK and LOL. If every mail system popped a three second delay into the SYN/ACK and the final ACK (not LOL really - I'm a fucking comedian) then spam would be abated by roughly the Plank Constant.
I basically don't bother with f2b these days but that might change. I do enforce TLS 1.2 or better for my POs. IMAP with TLS and SMTP with STARTTLS and reasonably good passwords.
Security is all about evaluating what is happening now. I think I'll be putting f2b back in again quite soon.
"More than usual?"
I don't have solid metrics as the log is held in RAM (as in don't bother dropping that crap on the SD card) and I just pull it directly into a text editor and look for keywords, however it seems to be about twice as much as usual.
I should add: since it's an IPv4 setup, I have set the system to automatically drop any connection from CN, RU, and a few other countries that have spammed the machine, using the free IPdb database (updated when I can be bothered), so these ones don't get logged at all. They might be on the increase too, but life is too short...
"The only exception to this is if the IoT device uses UPnP to knock holes in the firewall and NAT protection that the router provides. But they would be NUTS to open port 22 via UPnP, even if it were possible"
Consider them NUTS then, because that (and opening via a tunnel ) is more or less what happens to most IOT embedded linux DVR CCTV systems using Xaomai software - aka XM Eye (which is almost every unit shipped out of China using Huawei SoCs regardless of branding or UI)
Their Sophia binary is spectacularly awful and appears to breach GPL, but it just won't die
The reason I said "even if that is possible" is because if the firewall/router uses port 22 itself, it will not be possible for another device to use uPNP to direct that to itself.
As I understand what happens with most IoT devices is that they open an outbound bidirectional session to a well known server on the internet that becomes the conduit for communication to the IoT device. This is not a route into the IoT device from other servers, although it does rely on the function and security of the system in the Internet. This is not uPNP.
Similarly, using a VPN tunnel is not uPNP, and relies on additional security like a shared secret of some sort and some cryptography, and it requires an open port from the Internet through the firewall, possibly using uPNP. But this is extremely unlikely to be port 22, unless the tunnel is implemented using SSH, and even then it would not be sensible.
The reason why it would be nuts is because port 22 is the normal port for SSH connections, so is an obvious port to try to connect for an attack. Most times, uPNP ports that are used are non-privileged ports often numbered over 10,000, so unless the attacker knows the number in advance, the first thing they have to do is a port scan to identify open ports, and then decide on the protocol in use.
"But they would be NUTS to open port 22"
When did that stop people desperate to save a few seconds, or the 'OK, that works, it's fit for Production' crowd?
I allow SSH/SCP/SFTP 'key authentication only' access to certain partners. however they have to be using a VPN connection I give them and can only connect to what I let them. The VPN service is only accessible from public source addresses approved by me. And yes, the port forward for the VPN service is NOT the 'well known' one for the 'stealthy by design' Wireguard-based* service....
I totally agree about the current and legacy 'Internet of Shite' devices out there....anyone remember the Mirai botnet that used the well-known 'default password' method as it's initial IV?
[*] All hail Jason Donenfeld. That said (As he does in the small print, somewhere) you still need a firewall involved. WG has good points and bad points from an ops. POV, but the good ones vastly outweigh the bad ones...for me, anyway.
This is what I saw in a short time against one machine, users and attempts:
I don't know why I didn't see root. My advice to anyone: do not set up an account called 'admin'. Use anything other than 'admin'.
Before you start crowing about how insecure the competition can be, take a look at your own utterly abysmal track record of fatal security flaws. I'd hazard a guess that everyone else's security screw ups don't measure up to the Olympus Mons of the MS fuck ups in the same time frame.
I mean, how many times does MS have to release a fix to fix the fix that broke the previous fix? I'm fairly sure that a functioning quality assurance team testing your code before it was allowed past the gates just might, just *might* mind you, go some way into caulking the holes of the security Swiss cheese that is your fortress walls.
Before you start crowing about how insecure the competition can be, take a look at your own utterly abysmal track record of fatal security flaws
Here we go again. Whataboutery of the first order. The massive chip on the shoulders of people who have to make this about OS wars was amusing but seems increasingly emotionally immature.
Dear Microsoft, Thanks for the help MS, we will address this and be ready for the inevitable next one. Any more help you can give us, will be more than welcome. Because that's how the grown ups operates.
I would say that this is nothing to do with OS wars, and more to do with the attitude Microsoft has regarding their position in the market.
They have shown in the past that they've been prepared to spread FUD to try to dissuade people from using anything other than Windows. I know it came from the Ballmer era, but anybody who doesn't remember the "The Truth About Linux" advertising campaign in the noughties should probably refresh their memories.
Microsoft have form, and although they've been a little more accepting about Linux recently, the adage is that it is difficult for a leopard to change it's spots.
So, yes, thank you Microsoft. But please try to give the full context and some comparisons to avoid FUD in future.
-> who doesn't remember the "The Truth About Linux"
That works both ways. The Linux mob were claiming that Linux outperformed Windows NT back in 1999. I remember this. I was in the business at the time. Mindcraft did an independent test, and showed that Windows NT outperformed Linux. The penguins booed and hissed and grumbled, and complained about the tests. The tests were unfair, they said. HA HA HA.
Another test was done. This time there were penguins from Red Hat present. Again Windows NT outperformed Linux. STILL the penguins complained. In a lovely bit sour penguin food, some Linux penguin that although true it was not relevant. HA HA HA.
You can read more about it here.
Eventually Linus Torvalds admitted it and said it should be considered a bug. So great bolshy yarblockos to your own FUD.
Last few years Microsoft is increasingly Linux-based (I would be neither surprised nor annoyed if we were to find out that Wndows 12 ist virtualized over a Linux kernel, or, better, just another Linux shell). From my point of view it is agood thing that they keep an eye on what's going on in the Linux Endpoint world (otherwise Azure would be a much less promissing proposal than it is). Moreover, Microsoft is so big and has so many
tentacles hands that it is possible, if not expected, for one hand to have a completely different agency than another. I've seen it it much smaller companies.
So even though there is much to be excited and annoyed about both Microsoft and Linux-based systems, I wouldn't judge Microsoft this harshly. As long as they publish their numbers and methods, that is.
Suspect MS are suffering from this since as they say: Microsoft threat researchers say ..."XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices,"
Using Linux is a great way to deflect criticism: the problems MS are experiencing in the Azure cloud infrastructure is not to do with MS (proprietary) software but with Linux...
I have no personal knowledge of this, sorry, but I learned yesterday that starting with Windows 10, Microsoft is shipping OpenSSH as part of the standard package. It's right there, ready and waiting to be configured and used. No idea what the default configuration is, but this isn't just the client, the server is in there, too.
So they have potential exposure where ever there's a Windows machine, not just Azure.
-> But you know what else is equally dangerous as Linux botnets? Windows botnets.
Absolutely true. But it would be wrong to dismiss a Linux botnet just because it is reported by Microsoft. We typically see numerous web scans on our AWS hosts every day. If at random we pick a couple of source IPs and connect back to port 22 we see often see Ubuntu in the OpenSSH string. Yeah.
I have been saying this for years and will say it again now. There is a myth that pervades in the Linux so-called community that Linux is 'more secure' than Windows. My view is it can be more secure if you know what you are doing and put that knowledge into practice. But if you use Linux and just believe that Linux is more secure and you can thumb your penguin nose at Windows users you are completely wrong. Your system may well be one of these bots.
....so here we go again....
Yup......James Plamondon in 2000.....and now this cr*p from Microsoft twenty two years later!!!
......and the beat goes on......Microsoft simply can't change the aggressive culture built by Bill and Steve..................
Thanks for the Computerworld link.......
......but it describes Plamondon's comments about something unrelated to his email rant "Evangekism is War". I'd really like to know what he thinks (today) about that rant.
......as you can tell, I know what I think about the rant....and what it tells us about Microsoft's culture!
I mean, I guess my logs are telling me that the skiddies are doing it, which strongly implies that there are idiots out there like that, but WHY? Seriously, what benefit is there to typing a password?
And service accounts (including root) that you can log in as?
My guess is that it's a 254% increase in honeypots & tarpits...