This threat involves a sophisticated self-propagating SSH worm that targets Linux devices, notably Raspberry Pi systems, by exploiting weak or default SSH credentials. The attack begins with a brute-force login attempt using common default credentials such as 'pi/raspberry' and 'pi/raspberryraspberry993311'. Upon successful authentication, the attacker uploads a small 4.7KB bash script via SCP, which is executed immediately to establish persistence. The script kills competing malware processes and modifies the hosts file to redirect a known command and control (C2) server to the loopback address, ensuring exclusive control. The worm connects to multiple IRC networks and channels, using an embedded RSA key to cryptographically verify commands from the C2 operator, enhancing operational security and preventing hijacking. The infected device then installs scanning tools like zmap and sshpass to identify other vulnerable devices by scanning 100,000 random IP addresses for open SSH ports. For each discovered device, the worm attempts the same credential brute forcing to propagate. The entire infection cycle—from initial connection to scanning for new targets—completes in under four seconds, demonstrating high automation and speed. Although no cryptominer was deployed during the observed attack, the worm’s design allows the C2 server to issue commands to install additional payloads, including cryptominers. The attack originated from an IP address associated with a German ISP, and the use of a Raspbian SSH client suggests the attacker’s infrastructure includes compromised Raspberry Pi devices. The worm’s reliance on default credentials, lack of SSH key enforcement, and absence of brute force protections like fail2ban make it highly effective against poorly secured IoT and Linux devices. This incident underscores the critical need for security hardening even on small or hobbyist Linux devices.

For European organizations, this worm poses a significant threat to any Linux-based infrastructure, particularly IoT devices and Raspberry Pi deployments that are exposed to the internet with default or weak SSH credentials. Successful compromise results in full system control by the attacker, persistent backdoors, and the device becoming part of a botnet capable of further propagation and potentially launching additional malicious activities such as cryptomining or distributed denial-of-service (DDoS) attacks. The rapid infection cycle means outbreaks can escalate quickly, overwhelming incident response capabilities. The worm’s ability to kill competing malware and alter system files complicates remediation efforts. Organizations relying on Raspberry Pi devices for operational technology, edge computing, or educational purposes are especially vulnerable. The threat also risks undermining trust in IoT deployments and could lead to significant operational disruptions, data breaches, and increased costs related to incident response and remediation. Given the attack’s origin in Germany and the widespread use of Raspberry Pi devices across Europe, the potential for regional spread is high.

1. Disable password-based SSH authentication entirely and enforce SSH key-based authentication to prevent brute-force attacks. 2. Remove or rename default users such as 'pi' on Raspberry Pi devices to eliminate common attack vectors. 3. Deploy and properly configure brute force protection tools like fail2ban to detect and block repeated failed login attempts. 4. Implement strict network segmentation to isolate IoT and Linux devices from critical infrastructure and limit lateral movement. 5. Regularly update and patch all Linux devices, including IoT endpoints, to reduce vulnerabilities. 6. Monitor network traffic for unusual scanning activity, especially large-scale port 22 scans, and block suspicious IP addresses. 7. Employ host-based intrusion detection systems (HIDS) to detect unauthorized file modifications and persistence mechanisms. 8. Educate users and administrators on the risks of default credentials and the importance of secure configurations. 9. Audit and restrict outbound connections from IoT devices to prevent unauthorized C2 communications. 10. Maintain incident response plans that include rapid isolation and remediation procedures for compromised devices.