According to a newly published paper from GuardiCore Labs researchers, threat actors have been stealthily deploying a DDoS-capable RAT by spreading a SSH brute-force attack known as Butter. Although the Butter campaign has been known to researchers for some time, a new payload released in the summer has gone largely undetected by many. Which should come as no great surprise considering the actors behind Butter have been successfully monetising their operation for years without getting caught.
Butter itself is notable because, unlike the vast majority of short-lived attacks monitored in security operation centres across the globe, it originates from a limited number of attack sources and adopts a 'low and slow' operational methodology to evade detection.
It isn't, however, doing anything that new or clever by way of the core attack mode: the brute-forcing of SSH credentials. The GuardiCore paper points out that "the most basic attack methods that worked ten years ago still work today and will probably continue to be effective in the future." For sure, old and simple isn't necessarily a bad thing as Butter has demonstrated by breaking into weak and unsecured servers the world over. As well as an older and widely used payload known as '80' (a variant of the XOR.DDOS RAT), the latest Butter activity has been seen deploying something called Samba which is unique to this threat campaign.
Samba, named after one of the files that it hides itself in, is another RAT with shell command execution, file downloading and DDoS functionality. It also, as has been the trend for so many threat campaigns this year, has built-in crypto mining capabilities. The Butter miner, somewhat unsurprisingly given the privacy and anonymity attributes, mines the Monero cryptocurrency. And that's just for now. Daniel Goldberg, security research expert at GuardiCore Labs, told SC Media UK that he expects "to see the new Trojan, Samba, evolve and add features and support for more platforms."
But why are there still so many inadequately secure servers to make this kind of attack still apparently worthwhile? "The reasons for this are nuanced and manifold but rooted in the fact that cyber-criminals can now monetise any business website, server or endpoint that is hacked" Etienne Greeff, CTO and co-founder at SecureData told SC Media UK. Broderick Perelli-Harris, senior director of professional services at Venafi, adds that another reason brute forcing SSH credentials is still a problem is that "companies are still trying to track and manage these credentials manually, which makes it incredibly difficult to find and replace them quickly." As a result, Perelli-Harris reckons "many companies put their heads in the sand and just ignore the problem because it seems like such a big task."
So, how should the enterprise best mitigate against the brute forcing of SSH credentials? Paolo Passeri, global solutions architect at Netskope says that mitigation is quite simple, being a combination of policies and technology. "An effective password policy, educating the users not to use the same passwords for multiple services and also deploying effectively consolidated technology such as IPSs that can detect and mitigate similar attacks" Passeri told SC Media UK, adding "SSH credentials being compromised is an example that security fundamentals are really hard to adopt for organisations."
Meanwhile, Cody Brocious, the education lead at security consultancy HackerOne, recommends three things: remove traditional passwords completely and use public key authentication, use fail2ban to automatically shut down attacks from a single source and require two-factor authentication for SSH logins. Tom Parsons, senior director at Tenable Research reminds us that "one of the most common techniques to prevent these attacks is to set the SSH service to listen in to a nonstandard port (other than 22) and disable password based authentication by enforcing the use of SSH public keys only."
We will leave the last word to Sivan Nir, senior analyst at the Skybox Research Lab, who points out that even if brute forcing SSH credentials is a relatively simplistic attack vector "the vast majority of threat actors aren’t worried about sophistication, it’s whatever gets the job done..."