SoylentNews is people
SoylentNews
https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/
ESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. In the white paper, “The Dark Side of the ForSSHe”, they release analysis of 21 malware families to improve the prevention, detection and remediation of such threats
[...] Something that wasn’t originally discussed in the Operation Windigo paper, but that ESET researchers have talked about at conferences, is how those attackers try to detect other OpenSSH backdoors prior to deploying their own (Ebury). They use a Perl script they have developed that contains more than 40 signatures for different backdoors.
https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf
(Score: 0) by Anonymous Coward on Friday December 14 2018, @10:56PM (1 child)
The paper suggests disabling password authentication, disabling root login, and using two-factor when possible. They are not sure what initial attack vectors are, but nearly all that they encountered spread through stealing credentials, and only a few stole private keys.
(Score: 2) by driverless on Saturday December 15 2018, @12:37AM
For this to work though you need to use actual, real second-factor auth, not twice as much one-factor auth labelled as two-factor auth. In particular publickey + password is something you know and something else you know, so just two lots of one-factor auth. Actual two-factor auth is a crypto token, OTP, or similar.