GoScanSSH Targets Linux-Based SSH Servers

A new malware variant, dubbed GoScanSSH by Cisco Talos researchers, attempts to compromise Linux-based SSH servers that are exposed to the internet and join them to a botnet. Written in the Go programming language, GoScanSSH uses a previously infected device to scan randomly generated IP addresses for open SSH ports, attempts to establish an SSH connection with an identified target, and then gathers information about the domains associated with it. Researchers have determined that GoScanSSH compares these associated domains and IP addresses with an internal blacklist to avoid compromising military and government-based servers. When the malware finds a viable target with an open SSH port, an SSH credential brute-force attack is initiated using a word list containing over 7,000 common username and password combinations, mostly comprised of weak or default device credentials. If a credential match is found and access can be obtained, a unique GoScanSSH malware binary will then be installed on the system. After the malware gathers information on the infected device, it begins searching for new devices to compromise. The NJCCIC recommends administrators of Linux-based systems with open and publicly exposed SSH ports review the Talos report for additional information and Indicators of Compromise (IoCs), change any and all default account credentials, ensure systems have unique and complex account credentials, and close port 22 if it is not needed. If SSH is needed in your environment, consider implementing IP whitelisting and a multi-factor authentication solution to protect against brute-force attacks.