Threat Watch

KmsdBot Exploiting Weak Login Credentials to Spread Cryptominers and Launch DDoS Attacks

On Thursday Akamai’s Security Intelligence Response Team (SIRT) released a write-up about a new botnet that had infected their honeypot. KmsdBot, as named by the SIRT, gains initial entry via SSH and then attempts several different methods of downloading the malware, including File Transfer Protocol (FTP) and cURL. From there, the bot establishes command and control (C2), where the attacker can determine whether the infected machine will participate in a Distributed Denial of Service (DDoS) attack or run its cryptominer.


Companies can best protect themselves from this sort of attack by blocking all SSH traffic from external sources. When SSH must be exposed to public internet, use SSH keys instead of passwords, and limit which public IP addresses can establish connections. Additionally, companies should consider blocking all inbound and outbound FTP traffic and limit which public IP addresses can establish FTP sessions if FTP must be allowed. For detecting C2, companies can use tools like RITA to analyze NetFlow data and identify beaconing traffic. Finally, establishing a baseline of resource utilization and network traffic can help in developing alerts for unusual network activity or hardware use, which may function as an indicator of botnet activity or cryptominers.