BleepingComputer reports that Linux SSH servers have been besieged by brute-force attacks from the novel Mirai trojan-based RapperBot botnet since mid-June.
More than 3,500 unique IP addresses around the world have been scanned by RapperBot as it sought to brute-force Linux SSH servers, according to a report from Fortinet. Despite being a forked version of Mirai, RapperBot was found to have unique functionality, as well as a dedicated command-and-control protocol and post-compromise activity mainly aimed at achieving initial server access.
"Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR," said researchers.
