The Haiduc SSH brute force tool is not commonly seen on its own. It is usually part of a larger operation including a Perl-based shell bot and an XMR Cryptominer. The tool is used to brute force SSH authentication within the local network allowing the attackers to move laterally and infect other servers in the network.
- An infected server requests the tool from an attacker-controlled server.
- The server responds successfully by downloading the tool.
- The server unpacks the tool and executes it with instructions from the attacker (possibly included in the same download). The tool attempts to brute force via SSH within the local network.
The attacker must have some level of code execution on the system in order to execute the tool.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine.