Executive Summary
In early 2024, a DShield honeypot operated as part of the SANS.edu BACS program detected a sophisticated cryptojacking and botnet campaign leveraging SSH password spraying as the initial access vector. Attackers, suspected to be affiliated with the Outlaw cybercrime group, gained access to exposed Linux hosts and executed automated enumeration scripts to assess system viability for botnet or cryptomining operations. Subsequently, evidence of persistent SSH backdoors and the transfer of malware—identified as both a Trojan and a miner—was observed, suggesting the compromised servers were targeted for both resource abuse and brokering to other cybercriminals for further exploitation.
This incident highlights the ongoing trend of cybercrime groups specializing in initial access brokerage and automation of lateral compromise using credential attacks and script-based post-exploitation. Organizations should remain vigilant as password-based SSH, exposed management interfaces, and unmonitored east-west traffic continue to enable rapid propagation of botnets focused on monetizing vulnerable cloud and on-prem workloads.
Why This Matters Now
The rise of initial access brokers and automation in attacks like cryptojacking and botnet deployment means organizations can be compromised quickly without robust detection. With continued evolution of attacker techniques and monetization models, proactive incident response, segmentation, and credential hardening are crucial to close common gaps before actors like Outlaw can capitalize.
Attack Path Analysis
The attacker gained initial access via SSH password spraying, followed by system and user enumeration to assess value and prepare their foothold. Persistence was established through SSH mechanisms, and preparatory actions were taken to facilitate privilege escalation and control of the machine. No evidence indicated extensive lateral movement beyond reconnaissance, but potential existed for additional internal pivoting. A malicious cryptominer and botnet malware were transferred and executed, communicating with external command and control infrastructure. Although direct exfiltration was not highlighted, outbound communications served botnet tasks and monetization. The impact included resource theft (cryptojacking), likely further DDoS participation, and compromise for potential resale by IABs.
Kill Chain Progression
Initial Compromise
Description
Attacker leveraged SSH password spraying to gain remote access, followed by enumeration scripts to gather host and user data.
Related CVEs
CVE-2016-8655
CVSS 7.8A race condition in the af_packet implementation in the Linux kernel allows local users to gain privileges via a crafted application.
Affected Products:
Linux Kernel – < 4.8.7
Exploit Status:
exploited in the wildCVE-2016-5195
CVSS 7.8A race condition in the memory manager in the Linux kernel allows local users to gain privileges by leveraging incorrect handling of copy-on-write (COW) breakage.
Affected Products:
Linux Kernel – < 4.8.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
ATT&CK techniques mapped to this incident for filtering and future enrichment; coverage is illustrative and can be further refined for advanced detection engineering.
Brute Force: Password Spraying
Valid Accounts: SSH
System Information Discovery
Command and Scripting Interpreter: Unix Shell
Lateral Tool Transfer
Indicator Removal on Host: File Deletion
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
Resource Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Non-console Administrative Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.15
DORA (Digital Operational Resilience Act) – ICT Risk Management Measures
Control ID: Chapter II, Article 8
CISA Zero Trust Maturity Model 2.0 – Strong Authentication and Access Segmentation
Control ID: Identity Pillar – Policy Enforcement
NIS2 Directive – Technical and Organizational Measures – Access Control
Control ID: Article 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
SSH-based cryptojacking attacks targeting cloud infrastructure pose severe risks to service availability, requiring enhanced zero trust segmentation and encrypted traffic monitoring capabilities.
Financial Services
Botnet infiltration through SSH compromise threatens transaction processing systems, demanding strict egress security controls and compliance with PCI data protection requirements.
Health Care / Life Sciences
Initial access broker activities exploit remote access vulnerabilities in healthcare networks, necessitating HIPAA-compliant east-west traffic security and threat detection systems.
Cloud Computing/SaaS
Automated enumeration scripts targeting Digital Ocean infrastructure highlight multicloud visibility needs and kubernetes security requirements for container-based service providers.
Sources
- Battling Cryptojacking, Botnets, and IABs [Guest Diary], (Thu, Jan 15th)https://isc.sans.edu/diary/rss/32632Verified
- Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servershttps://thehackernews.com/2025/04/outlaw-group-uses-ssh-brute-force-to.htmlVerified
- Outlaw Botnet Targets Linux, Exploiting Weak SSH Credentialshttps://www.technadu.com/outlaw-botnet-targets-linux-systems-exploiting-weak-or-default-ssh-credentials/590436/Verified
- Outlaw Botnet: Targets Weak SSH Servers for Cryptocurrency Mininghttps://www.thecybersyrup.com/p/outlaw-botnet-targets-weak-ssh-servers-for-cryptocurrency-miningVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmented network controls, east-west traffic visibility, and egress policy enforcement would have detected credential-based attacks, blocked lateral movement, and restricted the botnet’s ability to communicate externally or propagate. CNSF’s integrated threat detection and workload zoning capabilities could have isolated compromised hosts and constrained impact.
Control: Zero Trust Segmentation
Mitigation: Restricted remote SSH access to only trusted management endpoints.
Control: Threat Detection & Anomaly Response
Mitigation: Detected anomalous changes to authentication files and privilege escalation behavior.
Control: East-West Traffic Security
Mitigation: Prevented unauthorized east-west movement within cloud or hybrid environment.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked malicious outbound C2 traffic and mining protocol communications.
Control: Multicloud Visibility & Control
Mitigation: Enabled rapid detection of unauthorized exfiltration attempts.
Reduced blast radius by isolating affected workload and enforcing real-time runtime security policies.
Impact at a Glance
Affected Business Functions
- IT Infrastructure
- Data Processing
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive system configurations and user credentials due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and identity-based policies to minimize remote access exposure and lateral movement risk.
- • Deploy continuous network threat detection and anomaly response to rapidly identify credential abuse, suspicious file changes, and unauthorized system activities.
- • Implement east-west and egress controls to restrict malware communication and block unauthorized outbound traffic in all cloud and hybrid environments.
- • Centralize logging, visibility, and policy management across multicloud infrastructure to enable effective threat hunting and accelerated incident response.
- • Routinely audit authentication mechanisms, enforce MFA for privileged access, and combine runtime monitoring with rapid isolation workflows for compromised workloads.
