SSH | Breaking Cybersecurity News | The Hacker News

An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch. "This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications," Cado Labs researcher Matt Muir  said  in a report shared with The Hacker News. "It's clear that the developer's targeting of cloud services is advancing with each iteration." Legion, a Python-based hack tool, was  first documented  last month by the cloud security firm, detailing its ability to breach vulnerable SMTP servers in order to harvest credentials. It's also known to exploit web servers running content management systems (CMS), leverage Telegram as a data exfiltration point, and send spam SMS messages to a list of dynamically-generated U.S. mobile num

Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot. "ShellBot, also known as  PerlBot , is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server," AhnLab Security Emergency response Center (ASEC)  said  in a report. ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open. A list of known SSH credentials is used to initiate a dictionary attack to breach the server and deploy the payload, after which it leverages the Internet Relay Chat ( IRC ) protocol to communicate with a remote server. This encompasses the ability to receive commands that allows ShellBot to carry out DDoS attacks and exfiltrate harvested information. ASEC said it identified three different ShellBot versions – LiGhT's Modded perlbot v2, DDoS

A threat with a North Korea nexus has been found leveraging a "novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client. Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name  UNC4034 . "UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility," Mandiant researchers  said . The utilization of fabricated job lures as a pathway for malware distribution is an oft-used tactic by North Korean state-sponsored actors, including the Lazarus Group, as part of an enduring campaign called  Operation Dream Job . The entry point of the attack is an ISO file that masquerades as an Amazon Assessment as part of a potential job opportunity at the tech giant.

A never-before-seen Linux malware has been dubbed a "Swiss Army Knife" for its modular architecture and its capability to install rootkits. This previously undetected Linux threat, called  Lightning Framework  by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. "The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration," Intezer researcher Ryan Robinson  said  in a new report published today. Central to the malware is a downloader ("kbioset") and a core ("kkdmflush") module, the former of which is engineered to retrieve at least seven different plugins from a remote server that are subsequently invoked by the core component. In addition, the downloader is also responsible for establishing the persistence of t