A close collaboration between cybercrime and APT groups attacking SSH machine identities is creating a new generation of back-doored machines .
Commoditised malware equipped with the ability to exploit powerful, hidden back-doors are becoming commonplace, researchers from Venafi have warned. Their research shows that hackers are using computer identities known as SSH in their attacks. This is the same technique that was used to damage the Ukrainian power grid in 2016.
SSH is a protocol that provides a secure connection between two digitally connected machines, enabling data exchange and remote management. For example SSH means that computers running in cloud computing environments and connected IoT devices can be run securely with access to them controlled.
This makes SSH identities very valuable to attackers: an SSH key can be used to gain undetected access to critical systems. Attackers can then circumvent security controls, compromise the integrity of data, switch off encryption systems or even install persistent malware to be used on a future occasion.
Typically the malware will add the attacker’s SSH key to a list of authorized key files on the victim’s machine, meaning their machine would trust the key. This means the attacker will be able to access their machine.
In other cases, the malware will run a “brute force” attack on weak SSH authentication to gain access to the target computer.
Once access is gained the attacker can move laterally move across the network and infect further machines.
Recent cyber attacks using SSH
Some examples of successful malware campaigns that leveraged SSH machine identities recently include:
- TrickBot: Originally a banking trojan that first appeared in 2016, is offered on the dark web “as-a-service” to criminals. It has several modules that are designed for the needs of a specific criminal activity. It incorporates many features from network profiling, mass data collection, and incorporation of lateral traversal exploits.
- CryptoSink: This cryptomining malware hijacks a victim’s computer and uses its power to mine for cryptocurrency. CryptoSink creates a backdoor to the targeted server by adding the attacker’s public key to the authorized key file on the victim’s machine.
- Linux Worm: Another type of cryptomining malware aimed at the Monero cryptocurrency
- Skidmap: Malware that gains backdoor access to a targeted machine by adding the attacker’s SSH key to the list of authorized keys. It is used to gain administrative access systems typically to install cryptomining malware.
SSH attacks are often used for cryptomining. But Yana Blachman, a threat intelligence specialist at Venafi, points out that the threat goes further than this. “Until recently”, she points out, “only the most sophisticated, well-financed hacking groups had this kind of capability. Now, we’re seeing a trickle-down effect, where SSH capabilities are becoming commoditized. What makes this so worrying is that if an attacker is able to backdoor a potentially interesting target, they may monetize this access and sell it to sophisticated attackers, such as nation states, for the purpose of cyberespionage or cyberwarfare.”
This is already happening with the TrickBot malware available as a ‘bot-as-a-service’ on the Dark Web, together with a full tool set.
Defending against SSH attacks
SSH keys never expire, and because of poor security management, many organizations have no way of knowing which SSH keys are being used for a specific action or task. In fact, recent research shows that only ten per cent of organizations believe they have a complete and accurate intelligence over all SSH machine identities, raising the risk that SSH keys will be misused or stolen.
However, organisations can defend against SSH attacks by ensuring they are properly managing all of the SSH keys on their network including in the cloud. By doing this they will be able to spot malicious SSH keys.
In addition organizations must address the importance of Machine Identity Protection for SSH keys which are rarely part of organisation’s security strategies.
Badly managed SSH keys have the potential to allow massive harm. The only way to defend against these attacks is to know which SSH machine identities are being used and to improve Machine Identity Protection for SSH keys. It is a substantial challenge. As Yana Blachman puts it, organisations must “equip themselves to take complete control over every single SSH machine identity they rely on in order to identify signs of compromise.”
Main image courtesy of iStockPhoto.com