Researchers say the victims are systems with weak SSH password authentication.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

A newly discovered botnet called SSHStalker has compromised at least 7,000 Linux servers by brute-forcing weak SSH password authentication. The botnet uses IRC-based command and control, exploits Linux kernel vulnerabilities dating back to 2009, and maintains persistence through backdoors and rootkits. While it hasn't yet monetized access through DDoS or cryptomining, researchers warn it could activate at any time. The primary defense is disabling SSH password authentication in favor of key-based authentication, implementing rate limiting, and removing legacy Linux systems with kernel 2.6 versions. Security experts emphasize this incident highlights the continued importance of basic security fundamentals over chasing advanced threats.

SSHStalker botnet brute-forces its way onto 7,000 Linux machines