Mining Trojans reappear, 140,000 Linux-based devices attacked, Guangdong Province is the hardest hit

According to the news from the mining website, yesterday (August 21), Tencent Yujian Threat Intelligence Center released a message that Tencent security experts found that the Tencent Yujie advanced threat detection system deployed by a certain enterprise customer had SSH service compromise information during routine security inspections for a certain enterprise customer. After investigation, it was found that the attack was launched by the large mining botnet WannaMine: after the attacker successfully cracked the SSH weak password, the shell backdoor and brootkit backdoor program were implanted, and spread horizontally in the intranet through SSH. The victim machine received remote commands to install (including but not limited to) mining trojans and DDoS attack modules.

SSH stands for Secure Shell, and it is now one of the main protocols for accessing network devices and servers over the Internet. SSH is mainly used on all popular operating systems, such as Unix, Solaris, Red-Hat Linux, CentOS, and Ubuntu. SSH uses port number 22 by default. We searched for devices with port 22 open through zoomeye and found that there are more than 100 million devices in the world that have opened this port, which means that more than 100 million devices are likely to be attacked by brute force.

According to monitoring data from Tencent Security's Yujian Threat Intelligence Center, WannaMine has shown a new rapid growth trend in China since June 2019, and has currently affected nearly 140,000 devices.

The top three virus-infected regions are Guangdong (20.3%), Jiangsu (7.7%), and Zhejiang (7%).

Distribution of WannaMine virus victims