Security experts have discovered a new strain of malware that targets vulnerable Linux-based systems and tries its best to avoid infecting devices on government and military networks. The name of this new strain is GoScanSSH, and its name is a tell-tale sign of its main features and capabilities — coded in Go, use of infected hosts to scan for new ones, and the SSH port as the point of entry. Dan Matthews, Director of Engineering at Lastline commented below.
Dan Matthews, Director of Engineering at Lastline:
“It is difficult to fully get inside the head of attackers, but one theory could be that the attackers know that nation-states are resourced and have the political and networking connections to perform accurate attribution. This attack does not appear complex, although they have done two things which differ from recent commodity malware:
1) Written in Go, which is a efficient/cross-platform/modern/cool programming language
2) Added an IP address validation step prior to performing dictionary attacks against publicly reachable SSH servers.
The best thing any organization can do to protect against password reuse attacks is to enable some type of multi-factor authentication, particularly for services such as VPN’s, SSH servers and web/cloud-based email services which are reachable from the internet.”