Method: Linux Malware – GoScanSSH

Researchers at Cisco Talos during an incident response engagement have identified a new malware family being used to compromise SSH servers exposed to the internet, called GoScanSSH. The malware is written in Go, a programming language created at Google in 2009. The infection methods being used were SSH brute force attacks against public facing SSH services. Once a host has been infected, it reaches out to domains over Tor2Web as part of command and control. According to Cisco Talos, the attack campaign has been ongoing for at least nine months. Something that is out of the ordinary regarding the campaign is the malware has a component, which was built in to avoid compromising certain government domains (.mil, .gov, .army, etc.).

Technical analysis of sample malware – http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html

Proficio Threat Intelligence Recommendations:

  • Restrict public facing SSH access to only the parties who need direct access to it.
  • Use strong passwords for any type of SSH authentication open to the internet.
  • Apply tools such as Fail2Ban to mitigate the risk of brute force attacks

Recent Blog Posts

Stay Ahead of Evolving Threats

Sign up for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.

REQUEST A DEMO

Experience Tomorrow’s
Security Today

Request a Demo and Experience Proficio's
Innovative Solutions in Action.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.