Back to All Scenarios
PASSEDsecurity / brute_force_ssh_attack
Brute Force SSH Attack — Distributed Botnet
A distributed botnet launches a coordinated brute force SSH attack against the organization's public-facing servers. Over 50,000 login attempts per hour from 2,000+ unique IP addresses. Several service accounts with weak passwords are compromised. The attackers establish reverse shells on 3 servers.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
85%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 51 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
15 public-facing Linux servers with SSH on port 22. No fail2ban or rate limiting configured. 3 service accounts with weak passwords compromised. Reverse shell connections established to C2 server at 185.243.115.x. 50,000 auth attempts/hour from 2,000 IPs.
Injected Error Messages (4)
SIEM alert: distributed SSH brute force attack in progress — 52,847 failed SSH login attempts in the last hour from 2,134 unique source IPs, GeoIP: 45% Russia, 30% China, 25% Brazil, attack pattern: credential stuffing with common service account names (deploy, jenkins, backup, ansible), 3 successful authentications detected from suspicious IPs, MITRE ATT&CK: T1110.001 Brute Force: Password Guessing
web-prod-01 compromised — successful SSH login from 185.243.115.47 as user 'deploy' at 03:27 UTC, suspicious process spawned: '/bin/sh -i' (reverse shell), outbound connection established to 185.243.115.12:4444, /var/log/auth.log showing 4,200 failed attempts before successful login, passwd file modification detected, new user 'svc_update' created with UID 0
app-prod-03 compromised — SSH login from 185.243.115.91 as user 'backup' (weak password), lateral movement detected: SSH connections from app-prod-03 to internal hosts 10.10.100.40 and 10.10.100.41, privilege escalation attempt via kernel exploit (CVE-2024-1086), crontab modified: reverse shell persistence established, /etc/shadow exfiltrated
Edge perimeter under heavy SSH scanning — 50K+ connection attempts per hour to port 22 across all public IPs, connection tracking table at 89% capacity, legitimate SSH connections experiencing delays, no geo-IP blocking or rate limiting rules active on edge perimeter, IDS signature hits: 12,847 'ET SCAN SSH Brute Force' alerts in 1 hour
Neural Engine Root Cause Analysis
The Wazuh SIEM manager is likely overwhelmed by the massive distributed SSH brute force attack it's monitoring and alerting on. With 52,847 failed login attempts from 2,134 unique IPs generating alerts, the SIEM system has likely exhausted its processing capacity, memory, or storage resources. The 16 correlated incidents suggest a cascading failure where the attack has impacted multiple systems, and the SIEM itself has become a victim while trying to process and alert on the attack patterns.
Remediation Plan
1. Immediately implement IP-based rate limiting and blocking for SSH services across all monitored systems 2. Deploy emergency firewall rules to block traffic from Russia, China, and Brazil IP ranges temporarily 3. Restart Wazuh manager service and check system resources (CPU, memory, disk) 4. Increase Wazuh processing capacity and tune alert thresholds 5. Investigate the 3 successful authentications from suspicious IPs and rotate compromised credentials 6. Implement fail2ban or similar intrusion prevention on all SSH-enabled systems
Tested: 2026-03-30Monitors: 4 | Incidents: 4Test ID: cmncjvyhv0563obqecbpeadrp