We all love to read about sexy exploits that involve zero-days and sophisticated in-memory attacks that evade endpoint detection and response (EDR) solutions. This is not that story. In reality, most companies that get hacked fall victim to conventional hacking techniques that exploit poor security configurations and known software vulnerabilities.
Often, the hackers aren't after you; they simply want to use your computing resources for other purposes such as installing cryptominers where they can earn coin, or installing bot software to enlist your server into a distributed denial of service (DDOS) network, or worse, serve up malware, pirated and illicit content from your server.
SSH Servers Under Attack
The researchers at AhnLabs are seeing just such hacking activity against Linux servers on the Internet that are exploiting poorly configured SSH servers. The attack itself is not sophisticated. Using automated scanning software to discover Linux servers on the Internet, they look for SSH servers, typically on port 22, then execute dictionary style attacks to brute force guess username password combos, like Admin:Admin123.
I'm sure whatever marketing firm that set up your old domain server would do no such thing, but believe me it is more common than you would imagine. Using automated software, hackers can quickly run through the most common permutations of username:password combinations until they guess correctly or move on.
If they do get access, then they essentially own the machine and can install cryptominers, bots, malware, pirated software, or illicit material. It can get ugly and you do not want your server or domain to get blacklisted as serving up malware or belonging to a DDOS network.
Scan your footprint
So what to do? Well, start out by getting ahead of the hackers and scan your own footprint before the hackers do. How? Log into a free ThreatMate account, add your domain(s) and start scanning away. We will identify not only any Linux servers you have visible to the world, but all servers and the specific services they are offering. If you verify your domain, we will schedule a pentest of your servers that will simulate what the hackers are attempting to do: guess username:password combos to see if you are vulnerable to these same attacks. In other words, beat the hackers at their own game before they beat you.
In addition, we will tell you if your servers have other exposures such as insecure protocols, weak ciphers, expiring SSL certificates, deprecated software, or known vulnerabilities. You will get a security rating so you understand how secure (or not) your external attack surface is. And yes it's all free, so this is on you if you aren't doing this basic level of diligence.
Scanning your external footprint is the tip of the iceberg. It is a small part of your actual network footprint, most of which is behind a firewall, which is a good thing. But, most companies we scan have old servers and domains they have forgotten about, and most of these sites were stood up by a 3rd party who is more competent at standing up web services than actually securing and maintaining them. However, it is your site and you are responsible for the servers and the content they host. Don't sleep on this.