However, so far the botnet hasn’t done much other than maintaining persistence on infected machines. It has the ability to launch DDoS (distributed denial of service) attacks and conduct cryptomining, but hasn’t done anything yet to monetize its access. That, Flare says, suggests either the operator is still staging the botnet’s infrastructure, is in a testing phase, or is maintaining access for future use.
The good news for CSOs, according to Flare cybersecurity researcher Assaf Morag, is that at this point there’s one way to stop this particular botnet cold: Disable SSH password authentication to Linux machines and replace it with SSH-key based authentication, or hide password logins behind a VPN.
This change should be accompanied by implementation of SSH brute-force rate limiting, monitoring who is trying to access internet-connected Linux servers, and limiting remote access to servers to specific IP ranges.
However, Morag cautioned, right now SSHStalker is looking for Linux servers with weak SSH protection, but at any moment, the operator may add another attack vector, such as an unpatched server vulnerability or misconfiguration.
Security fundamentals are key
Chris Cochran, SANS Institute field CISO and VP of AI security, said SSHStalker is a reminder that security fundamentals still decide the fight.
“Yes, AI is changing the threat landscape. Yes, automation is accelerating attacks. But this campaign proves something simpler and more uncomfortable: Old tricks still work,” he said. “If I’m talking to another CISO today, my advice isn’t ‘buy more AI.’”
