XorDDos Is continuing to hunt servers with weak passwords. According to a recent post from Microsoft, there’s been a 254% increase in activity from XorDDos – an eight-year-old network of infected Linux machines used for DDoS attacks.
“XorDDos initial entry is vis SSH service using brute force technique on root credentials in a distributed format by a shell script,” says Habibeh Deyhim, Customer Success Leader with Horizon3.ai.
“To avoid being the target of such attacks,” Deyhim says, “One must configure a strong root credentials on any device that runs public facing SSH service, including such assets in the scope of NodeZero to surface any potential weak credentials that helps catch the exploits before the attackers do.”
The attack leaves a footprint on many failed sign-in attempts on the target, Deyhim continues.
“Tune EDR on all the public-facing SSH running assets to properly detect any potential XorDDos attack and stop them before bad actors get in the network and start manipulating the files and/or directories,” says Deyhim.
XorDDos was first discovered in 2014 and was named after its denial-of-service related activities both on Linus endpoints/servers and the way it used XOR-based encryption and communication.
It’s part of a trend of malware that increasingly targets Linux-based OS to carry out DDoS attacks. While DDoS attacks can be a problem in and of themselves, they can also be used to mask other malicious actions – such as distributing malware.
XorDDos uses both evasion and persistence to stay below the radar, through which it hides malicious activity and evades rule-based detection mechanisms and hash-based file lookup and more.
XorDDos uses both Secure Shel (SSH) brute force attacks, identifying SSH credentials to use root privileges to enable downloading and installation of XorDDos onto a targeted device.
As noted above, NodeZero can be leveraged to surface weak credentials, closing the gap on potential risks before XorDDos can make its move.
Schedule a demo of NodeZero today.