CyberSecurity news
FlagThis - #ssh
|
@hivepro.com
//
A new malware campaign is actively exploiting the PuTTY SSH client and the built-in OpenSSH in Windows systems to establish backdoors on compromised machines. This sophisticated attack leverages the popularity and trust associated with these legitimate tools, transforming them into weapons for malicious purposes. Categorized as a "Living Off the Land Binary" (LOLBIN) tactic, this approach allows attackers to evade detection by traditional security software, maintaining unauthorized remote access and control over infected systems. This can lead to data theft, system compromise, and further malware propagation within the network.
The attack campaign, tracked by HivePro, involves the deployment of trojanized versions of PuTTY, a widely used free SSH client, and the abuse of the OpenSSH client integrated into Windows 10 since version 1803. Attackers are using a multi-stage approach, including registry manipulation and the creation of malicious SSH configuration files, to establish persistent communication with their command-and-control infrastructure. A recent malware sample, disguised as "dllhost.exe," exemplifies this strategy, attempting to start the "SSHService" and, if unsuccessful, manipulating registry keys to store randomly chosen ports for future connections. Security experts emphasize the importance of vigilance and caution among system administrators. It is crucial to ensure the use of genuine versions of PuTTY and to monitor SSH traffic for any suspicious activity. The integration of OpenSSH into Windows, while beneficial for system administrators, has inadvertently expanded the attack surface, providing malicious actors with new opportunities to abuse legitimate functionality. By understanding the tactics and techniques employed in this campaign, organizations can better protect themselves against this evolving threat.
Share:
References :
Classification:
info@thehackernews.com (The@The Hacker News
//
A critical security vulnerability, CVE-2025-32433, has been discovered in the Erlang/OTP SSH implementation, potentially allowing unauthenticated remote code execution (RCE). The flaw, which has been assigned a maximum CVSS score of 10.0, could enable attackers to execute arbitrary code on affected systems without providing any credentials. Researchers at Ruhr University Bochum, including Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk, identified the vulnerability. It stems from improper handling of SSH protocol messages, allowing attackers to send connection protocol messages prior to authentication, leading to a complete system compromise if the SSH daemon is running with root privileges.
The vulnerability affects all users running an SSH server based on the Erlang/OTP SSH library. According to the official Ericsson security advisory, any application providing SSH access using the Erlang/OTP SSH library should be considered affected. This vulnerability poses a significant risk, especially to critical infrastructure and high-availability systems where Erlang/OTP is widely used, such as in telecommunications equipment, industrial control systems, and connected devices. Expert Mayuresh Dani of Qualys emphasizes the critical nature, noting Erlang's frequent installation on high-availability systems. This vulnerability could allow actions such as installing ransomware or siphoning off sensitive data. Proof-of-concept (PoC) exploits for CVE-2025-32433 have already been released, increasing the urgency for organizations to take immediate action. SecurityOnline reported the release of PoC code, and the Horizon3 Attack Team confirmed they had developed their own exploit, describing it as "surprisingly easy" to reproduce. Mitigation strategies include immediately updating to the patched versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. As a temporary workaround, it is recommended to disable the SSH server or restrict access via firewall rules until the updates can be applied. Organizations should evaluate their systems for potential compromise.
Share:
References :
Classification:
info@thehackernews.com (The@The Hacker News
//
The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.
The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat.
Share:
References :
Classification:
|