Are your Linux SSH servers truly secure? In the vast digital landscape, threat actors are increasingly targeting poorly managed servers. Consequently, this invites a wave of sophisticated attacks.

AhnLab Security Emergency Response Center (ASEC) sheds light on the escalating menace as well as reveals the intricate tactics employed by cybercriminals.

Understanding the Recent Threat

In a recent analysis, ASEC uncovered a surge in attacks on Linux SSH servers. Threat actors go beyond the conventional DDoS bots and CoinMiners, opting for a more insidious approach.

The attackers, before deploying malware, meticulously gather IP addresses and SSH credentials. Furthermore, to accomplish this, they used IP scanning and brute force attacks.

Malware Arsenal: More Than Meets the Eye

Common malware, including ShellBot, Tsunami, ChinaZ DDoS Bot, and XMRig CoinMiner, are the weapons of choice for these cyber assailants.

What’s more alarming is the installation of SSH scanner malware on compromised servers.

This malicious software not only exposes vulnerabilities but also paves the way for further exploitation.

Anatomy of an Attack

The attackers employ a sophisticated arsenal of tools. These include port scanners, banner grabbers, and SSH dictionary attack tools.

The sequence of approach employs a chain of attacks to obtain server access. This involves:

  • scanning for active port 22 (SSH service)
  • extracting IP addresses, and
  • launching brute force attacks

Notably, the attackers leave digital footprints, inadvertently revealing their tactics in the process.

Past Cases

ASEC’s historical analysis uncovers a consistent pattern of attacks. The tools used, believed to be crafted by the PRG old Team, undergo slight modifications but remain at the core of multiple threat actor arsenals.

The 2021 report from the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) reinforces this, emphasizing the persistent use of port scanners and SSH dictionary attack tools.

Safeguarding Your Servers

ASEC advocates for proactive measures to shield Linux SSH servers from these evolving threats.

Administrators are advised to implement robust security measures:

  • strong password policies
  • regularly credentials update
  • installing the latest patches
  • and others to fortify against vulnerabilities.

The use of firewalls is also recommended as always to restrict external access. In the same way, vigilance in updating security programs is crucial to preemptively block malware infections.

ASEC’s Defensive Arsenal

To stay one step ahead, ASEC utilizes a Linux SSH Honeypot. This offers real-time insights into attack source addresses.

This valuable information is shared through the AhnLab Threat Intelligence Platform (TIP). This further empowers administrators to fortify their defenses against emerging threats.


As the digital landscape evolves, so do the tactics of cyber adversaries. ASEC’s insights unveil the hidden strategies employed by threat actors targeting Linux SSH servers.

By adopting proactive security measures and leveraging ASEC’s real-time intelligence, you can fortify your digital fortress against the rising tide of cyber threats. Stay secure, stay vigilant!