Researchers at Cisco Talos during an incident response engagement have identified a new malware family being used to compromise SSH servers exposed to the internet, called GoScanSSH. The malware is written in Go, a programming language created at Google in 2009. The infection methods being used were SSH brute force attacks against public facing SSH services. Once a host has been infected, it reaches out to domains over Tor2Web as part of command and control. According to Cisco Talos, the attack campaign has been ongoing for at least nine months. Something that is out of the ordinary regarding the campaign is the malware has a component, which was built in to avoid compromising certain government domains (.mil, .gov, .army, etc.).
Technical analysis of sample malware – http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html
Proficio Threat Intelligence Recommendations:
- Restrict public facing SSH access to only the parties who need direct access to it.
- Use strong passwords for any type of SSH authentication open to the internet.
- Apply tools such as Fail2Ban to mitigate the risk of brute force attacks