GoScanSSH targets public facing SSH servers

Delaware, USA – March 29, 2018 – Researchers discovered a new malware family dubbed GoScanSSH that conducts brute force attacks on devices which support authentication via SSH. Infected systems are used to find the next suitable target and compromise it using a list of nearly 7,000 usernames and passwords combinations. To do this, GoScanSSH generates random IP address and compares it with the built-in list of exceptions, which includes the IP addresses of governments and military entities, then performs a reverse DNS lookup to determine if this address has the domain name. Domain names are also compared to the list of exceptions; therefore, the attackers behind this malware try not to attract attention to their operation. Only after that GoScanSSH tries to access the device, and in case of success sends information about the “finding” to C&C server in the Tor network. Attackers create different malware samples for each device and install it manually. Researchers from Cisco Talos found more than 70 samples.

While the goals pursued by attackers are not clear, it is possible that some other malware will later be installed on compromised devices. It is also worth noting that the first samples of the virus date back to June 2017, but the burst of GoScanSSH activity began only two weeks ago.

To detect such attacks on your public facing resources, you can leverage Brute Force Detection use case, which notifies SIEM administrator about any attempts of password guessing and uncovers even slow brute-force attacks.