RapperBot is a new botnet that has been running since mid-June this year. This malware specializes in carrying out brute force attacks on the SSH protocol of all types of Linux servers. With this, it aims to establish a connection with the computer, access it and be able to both access the data stored on the server and move around the network in search of other computers.
This new malware is based on Mirai, a Trojan that has been infecting tens of thousands of Linux devices for a few years to create one of the largest computer networks in order to rent it to the highest bidder for all kinds of computer attacks. However, although based on it, RapperBot is somewhat different in that hackers have more control over its expansion and it does not seek to focus on conducting DDoS attacks, but on remote connection to computers and lateral movement within a network. net.
Hackers control this botnet through a C2 panel. In this way they can indicate targets, and send lists of SSH users to test, with brute force, which one allows the connection. It is able to connect to any SSH server with Diffie–Hellmann key exchange with 768-bit or 2048-bit keys and AES128-CTR encryption.
In just a month and a half, this malware has scanned and attacked more than 3,500 IP addresses. And it seems, moreover, that it is more alive than ever.
How to mitigate these attacks
Brute force attacks don’t rely on a security flaw in a program or protocol, so we can’t expect a magic patch to suddenly protect us. Therefore, there is no way to completely protect ourselves against this threat, but what we have to do is mitigate its impact and prevent us from being the next victim.
For this, the first and most obvious thing is that, if we don’t use SSH, let’s disable the service on our Linux. This will prevent us from connecting remotely to the system, but at the same time it guarantees that we will not fall into the clutches of these hackers. Another possible way to protect ourselves is to configure security to block connections after a limited number of attempts. So, for example, if connections are blocked after 10 failed attempts for 10 minutes, brute force attacks become ineffective.
Other tips to mitigate the impact of malware are the typical ones, such as not using default users, using long, random and strong passwords, and changing the default port.