Chinese Hackers Hijack Linux Network Devices via SSH

A Chinese hacking group, called Evasive Panda (or DaggerFly), has found a new way to attack Linux-based network devices. By using the SSH (Secure Shell) daemon, the group adds malware to systems, allowing them to run hidden tasks and steal data for a long time. This scary move shows how smart cyberattacks are getting and how weak some network systems can be.

The Attack Method: ELF/Sshdinjector.A!tr

The group uses a harmful tool named “ELF/Sshdinitor.A!tr,” which has been in use for targeted attacks since mid-November 2024, according to Bleeping Computer. The attack starts by breaking into a Linux-based network device, though how they first get in is still not clear. Once inside, a hacker checks if the system is already infected and if the attacker has root access. If yes, then they place several malicious files onto the device.

A key part of the hack is a fake SSH library file, libsssdh.so, which is put into the SSH tool. This file acts as a backdoor, letting the hacking team send orders and steal data. Other files, like mainpasteheader and selfrecoverheader, help them stay in the system for a long time.

Complete System Takeover

The injected SSH library grants the attackers extensive control over the infected device. They can execute up to 15 different commands, including:

• Collecting system information such as host names, MAC addresses, and hardware details.
• Reading sensitive files like the password file (/etc/shadow) and system logs (/var/log/dmesg).
• Uploading and downloading files, listing directories, and renaming files.
• Opening a remote shell for direct system access.

This level of control allows the attackers to monitor processes, execute remote commands, and use the compromised devices as launchpads for further attacks.

Implications for Network Security

The Evasive Panda group’s skill in taking over SSH daemons shows how vital it is to secure network devices. SSH, often seen as a safe protocol, can turn into a weak spot if not set up or updated correctly. This attack also points out the need for strong tools to watch and spot odd actions on network devices.

Protecting Against Such Attacks

To mitigate the risk of similar attacks, organizations should:

1. Regularly update and patch network devices to address known vulnerabilities.
2. Implement strong authentication mechanisms, such as multi-factor authentication (MFA), for SSH access.
3. Monitor SSH logs for unusual activity, such as unexpected root access or unauthorized file modifications.
4. Use intrusion detection systems (IDS) to identify and block malicious traffic.

The Evasive Panda group’s latest campaign serves as a stark reminder of the evolving threat landscape. As attackers continue to develop advanced techniques, organizations must remain vigilant and proactive in securing their networks.