Exclusive: MalwareMustDie for Security Affairs released the list of the sites under attack. A criminal gang is using SSH TCP direct forward attack technique.
Figure 1: The scheme adopted by a new threat
MalwareMustDie is back and has published his the first post of 2017. The popular malware researcher has uncovered a cyber crime gang that is harvesting credentials and credit card numbers from major websites all around the world.
MMD has published a detailed analysis of the harvesting technique used by cyber criminals.
“A legitimate user who is having authentication privilege of an existing SSH connection can forward TCP protocol in proxy-ing mechanism. It’s an almost common practice nowadays in the nutshell, specially to the services that is meant to be view from a local networking area.” wrote MMD.
“This threat’s definition is The abuse of SSH TCP forward legitimate usage, by performing automatic or manual attack to weak SSH accounts of remote devices (either servers and IoT), with brute-forcing account’s credential or passwords, to perform malicious set of TCP attacks via TCP Direct Forward technique on SSH Forwarding functionality utilizing this “force-accessed” SSH connection to targeted remote services.”
Full Article