Internet of Things devices running on Linux have been targeted by the newly emergent PumaBot botnet in SSH brute-force attacks, according to Security Affairs.
After brute-forcing SSH credentials from retrieved IPs, the Go-based PumaBot botnet distributes itself and gathers system information while concealing its presence with a bogus systemd service before executing the XMRig cryptominer and the ddaemon and networkxm binaries, a report from Darktrace showed. Further analysis revealed PumaBot to be tracking traffic cameras and surveillance systems produced by Pumatronix, as well as conducting environment fingerprinting checks to bypass honeypots. "While [PumaBot] does not appear to propagate automatically like a traditional worm, it does maintain worm-like behavior by brute-forcing targets, suggesting a semi-automated botnet campaign focused on device compromise and long-term access," said Darktrace researchers, who urged organizations to defend themselves from the botnet by performing regular systemd service audits, tracking atypical SSH login patterns, and restricting port 22 exposure.
After brute-forcing SSH credentials from retrieved IPs, the Go-based PumaBot botnet distributes itself and gathers system information while concealing its presence with a bogus systemd service before executing the XMRig cryptominer and the ddaemon and networkxm binaries, a report from Darktrace showed. Further analysis revealed PumaBot to be tracking traffic cameras and surveillance systems produced by Pumatronix, as well as conducting environment fingerprinting checks to bypass honeypots. "While [PumaBot] does not appear to propagate automatically like a traditional worm, it does maintain worm-like behavior by brute-forcing targets, suggesting a semi-automated botnet campaign focused on device compromise and long-term access," said Darktrace researchers, who urged organizations to defend themselves from the botnet by performing regular systemd service audits, tracking atypical SSH login patterns, and restricting port 22 exposure.