GoScanSSH Worm

A new worm, known as GoScanSSH, has been observed targeting publically accessible Linux Secure Shell (SSH) servers.

Threat ID:: CC-2200
Category:: Worm
Threat Severity:: Medium
Threat Vector:
Published:: 4 April 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new worm, known as GoScanSSH, has been observed targeting publically accessible Linux Secure Shell (SSH) servers.

Affected platforms

The following platforms are known to be affected:

Linux

Linux-based SSH Servers

Threat details

Initial access is gained using a list of credentials, with unique malware binaries used to infect a target device. GoScanSSH will then attempt to determine the number of hash computations the device can perform in a fixed interval, defining how powerful it is. This data, along with further information regarding the device, is sent to a command and control server (C2).

C2 communications are sent using the Tor2Web proxy, allowing systems to access resources on the Tor network without a Tor client. Messages are encrypted using the AES algorithm with randomly generated keys. These keys are further encrypted using asymmetric RSA encyrption, with the public key hard-coded into the binary.

GoScanSSH is capable of scanning and infecting other vulnerable SSH servers using randomly generated IP addresses. These are compared to a list of ranges known to be controlled by government or military entities and if no match is found, GoScanSSH will initiate an attack.

Remediation advice

To avoid becoming infected, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege. Your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security. Administrators should ensure that all vital systems are not directly exposed to the Internet. Additionally, strong password and account policies are enforced for all accounts that have access to management interfaces over SSH.

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.
Your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security.

Administrators should ensure that all vital systems are not directly exposed to the Internet. Additionally, strong password and account policies are enforced for all accounts that have access to management interfaces over SSH.

Last edited: 17 February 2020 12:44 pm