Microsoft claims that as part of a current cryptojacking campaign, Linux and Internet of Things (IoT) devices that are exposed to the Internet are being taken over in brute-force attacks. After successfully breaking into a system, the attackers use a trojanized OpenSSH software to backdoor the infected devices and steal SSH passwords in order to remain persistent.
Whether the device is acting as a client or a server, the updates “install hooks that intercept the passwords and keys of the SSH connections,” according to Microsoft. Furthermore, by suppressing the logging of the threat actors’ SSH sessions, which can be identified by a unique password, the patches enable root login over SSH and hide the intruder’s existence.