Statistical Report on Malware Targeting Linux SSH Servers in Q4 2024

Overview

AhnLab SEcurity intelligence Center (ASEC) conducts response and classification of brute force or dictionary attacks targeting poorly managed Linux SSH servers using honeypots. This report will cover the status of attack sources identified in the fourth quarter of 2024 based on logs, as well as statistics on attacks performed by these attack sources. Furthermore, malware used in each attack will be categorized with a summary of the statistical details.

 

Statistics

1. Status of Attacks on Linux SSH Servers

The following statistics are based on the AhnLab honeypot logs for attacks targeting Linux SSH servers during the fourth quarter of 2024. As a large number of attacks by the worm malware P2PInfect were identified in the fourth quarter of 2024 accounting for 49.3%, P2PInfect is excluded here. Except for this point, there are no significant differences compared to the third quarter of 2024.

 

Figure 1. Status of attacks on Linux SSH servers in the Q4 2024

 

The “Attack source” category refers to the quantity of systems used in attacks by malware or threat actors. In other words, systems where a history of actual malware installation commands being executed has been confirmed. ASEC honeypots collect logs related to attacks targeting poorly managed Linux SSH servers. In this instance, they are defined as environments vulnerable to brute force or dictionary attacks due to poorly configured account credentials. If successful login occurs on inadequately managed systems, the malware or threat actor can gain control over those systems.

 

The “Attack status” shows the number of times threat actors or malware attacked the system. Attacks on poorly managed Linux SSH servers begin with scanning. After scanning, most attack attempts either end after obtaining account credentials through brute force or dictionary attacks, or after the subsequent phase of collecting basic information. In this report, we will summarize the statistical information based on cases that go beyond this stage and have confirmed logs of malware being installed.

 

※ Please refer to the attachment for more details.