Companies can best protect themselves from this sort of attack by blocking all SSH traffic from external sources. When SSH must be exposed to public internet, use SSH keys instead of passwords, and limit which public IP addresses can establish connections. Additionally, companies should consider blocking all inbound and outbound FTP traffic and limit which public IP addresses can establish FTP sessions if FTP must be allowed. For detecting C2, companies can use tools like RITA to analyze NetFlow data and identify beaconing traffic. Finally, establishing a baseline of resource utilization and network traffic can help in developing alerts for unusual network activity or hardware use, which may function as an indicator of botnet activity or cryptominers.
https://thehackernews.com/2022/11/new-kmsdbot-malware-hijacking-systems.html
