#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

SSH | Breaking Cybersecurity News | The Hacker News

Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks

Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks

Feb 22, 2024 Network Security / Penetration Testing
A recently open-sourced network mapping tool called  SSH-Snake  has been repurposed by threat actors to conduct malicious activities. "SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network," Sysdig researcher Miguel Hernández  said . "The worm automatically searches through known credential locations and shell history files to determine its next move." SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a "powerful tool" to carry out  automatic network traversal  using SSH private keys discovered on systems. In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports  resolution of domains  which have multiple IPv4 addresses. "It's comp
New Terrapin Flaw Could Let Attackers Downgrade SSH Protocol Security

New Terrapin Flaw Could Let Attackers Downgrade SSH Protocol Security

Jan 01, 2024 Encryption / Network Security
Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell ( SSH ) cryptographic network protocol that could allow an attacker to downgrade the connection's security by breaking the integrity of the secure channel. Called  Terrapin  ( CVE-2023-48795 , CVSS score: 5.9), the exploit has been described as the "first ever practically exploitable prefix truncation attack." "By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it," researchers Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk  said . SSH is a  method  for securely sending commands to a computer over an unsecured network. It relies on cryptography to authenticate and encrypt connections between devices. This is accomplished by means of a handshake in which a client and server agree up
The Drop in Ransomware Attacks in 2024 and What it Means

The Drop in Ransomware Attacks in 2024 and What it Means

Apr 08, 2024Ransomware / Cybercrime
The  ransomware industry surged in 2023  as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 5,070.  But 2024 is starting off showing a very different picture.  While the numbers skyrocketed in Q4 2023 with 1309 cases, in Q1 2024, the ransomware industry was down to 1,048 cases. This is a 22% decrease in ransomware attacks compared to Q4 2023. Figure 1: Victims per quarter There could be several reasons for this significant drop.  Reason 1: The Law Enforcement Intervention Firstly, law enforcement has upped the ante in 2024 with actions against both LockBit and ALPHV. The LockBit Arrests In February, an international operation named "Operation Cronos" culminated in the arrest of at least three associates of the infamous LockBit ransomware syndicate in Poland and Ukraine.  Law enforcement from multiple countries collaborated to take down LockBit's infrastructure. This included seizing their dark web domains and gaining access to their backend sys
Legion Malware Upgraded to Target SSH Servers and AWS Credentials

Legion Malware Upgraded to Target SSH Servers and AWS Credentials

May 24, 2023 Server Security / Malware
An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch. "This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications," Cado Labs researcher Matt Muir  said  in a report shared with The Hacker News. "It's clear that the developer's targeting of cloud services is advancing with each iteration." Legion, a Python-based hack tool, was  first documented  last month by the cloud security firm, detailing its ability to breach vulnerable SMTP servers in order to harvest credentials. It's also known to exploit web servers running content management systems (CMS), leverage Telegram as a data exfiltration point, and send spam SMS messages to a list of dynamically-generated U.S. mobile num
cyber security

WATCH: The SaaS Security Challenge in 90 Seconds

websiteAdaptive ShieldSaaS Security / Cyber Threat
Discover how you can overcome the SaaS security challenge by securing your entire SaaS stack with SSPM.
New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers

New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers

Mar 21, 2023 Linux / Server Security
Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot. "ShellBot, also known as  PerlBot , is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server," AhnLab Security Emergency response Center (ASEC)  said  in a report. ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open. A list of known SSH credentials is used to initiate a dictionary attack to breach the server and deploy the payload, after which it leverages the Internet Relay Chat ( IRC ) protocol to communicate with a remote server. This encompasses the ability to receive commands that allows ShellBot to carry out DDoS attacks and exfiltrate harvested information. ASEC said it identified three different ShellBot versions – LiGhT's Modded perlbot v2, DDoS
North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application

North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application

Sep 16, 2022
A threat with a North Korea nexus has been found leveraging a "novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client. Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name  UNC4034 . "UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility," Mandiant researchers  said . The utilization of fabricated job lures as a pathway for malware distribution is an oft-used tactic by North Korean state-sponsored actors, including the Lazarus Group, as part of an enduring campaign called  Operation Dream Job . The entry point of the attack is an ISO file that masquerades as an Amazon Assessment as part of a potential job opportunity at the tech giant.
New Linux Malware Framework Lets Attackers Install Rootkit on Targeted Systems

New Linux Malware Framework Lets Attackers Install Rootkit on Targeted Systems

Jul 21, 2022
A never-before-seen Linux malware has been dubbed a "Swiss Army Knife" for its modular architecture and its capability to install rootkits. This previously undetected Linux threat, called  Lightning Framework  by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. "The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration," Intezer researcher Ryan Robinson  said  in a new report published today. Central to the malware is a downloader ("kbioset") and a core ("kkdmflush") module, the former of which is engineered to retrieve at least seven different plugins from a remote server that are subsequently invoked by the core component. In addition, the downloader is also responsible for establishing the persistence of t
Cybersecurity Resources