Secure Shell (SSH) provides an authenticated connection between two machines, enabling encrypted data communications and remote command execution. SSH machine identities, also known as SSH keys, control workloads running in cloud computing environments, data center operations, critical infrastructure, VPN connections and more. In addition, SSH keys provide privileged access to critical systems like servers and databases.
According to Yana Blachman, threat intelligence specialist for machine identity protection leader Venafi, SSH keys are valuable targets for attackers, and malware campaigns equipped with the capability to exploit SSH keys are becoming commoditized.
“Attackers can use SSH keys to gain undetected root access to critical systems and data, allowing them to do nearly anything from circumventing security controls, injecting fraudulent data, subverting encryption software—or even installing malware,” said Blachman. “Until recently, only sophisticated, well-financed threat actors had this kind of capability. Today, they are becoming a standard part of cybercriminal toolkits, where attackers use SSH to establish backdoors that can remain undetected for years. SSH capabilities have trickled-down into off-the-shelf malware, which are available as a service targeting Windows, Linux and MacOS machines.”
Security researchers at Venafi routinely examine samples of high-profile malware campaigns to detect how SSH capabilities are being utilized. In most cases, the malware added an attacker’s SSH key to a list of authorized keys in a file on a target machine. This malicious SSH key enables the attacker to persist on the victim’s machine. In other cases, users’ SSH keys were collected and stolen for lateral movement and further exploitation.
According to Blachman, these four examples demonstrate the range of successful malware campaigns that leveraged SSH in 2019:
- Skidmap: A kernel-mode rootkit, Skidmap gains backdoor access to a targeted machine by adding the attacker’s public SSH key to the authorized key file. Skidmap uses exploits, misconfigurations or exposure to the internet to gain root or administrative access to the system and drop cryptomining malware.
- TrickBot: Originally a banking trojan that first appeared in 2016, TrickBot has become a flexible, universal, module-based crimeware solution that has shifted focus to enterprise environments over the years. It incorporates many features from network profiling, mass data collection and incorporation of lateral traversal exploits. Last year, TrickBot added credential-grabbing capabilities for both PuTTY (SSH client for Microsoft) and OpenSSH (a suite of open source SSH tools for Linux). In addition to targeting credentials, the malware is designed to look for information, such as the hostname and username, which are used in lateral movement.
- CryptoSink: This is a cryptomining campaign that exploited a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems on Windows and Linux platforms to mine XMR cryptocurrency. CryptoSink created a backdoor to the targeted server by adding the attacker’s public SSH key to the authorized key file on the victim’s machine.
- Linux Worm: This worm targets vulnerable Exim mail servers on Unix-like systems to deliver Monero cryptocurrency miners. The worm created a backdoor to the server by adding its own SSH public key and enabling the SSH server if it was disabled.
Blachman added: “Despite the rise in malware campaigns that leverage SSH keys and the fact that they are becoming more accessible and available, organizations routinely overlook the importance of protecting SSH machine identities. The only way for organizations to protect themselves from malware that targets SSH keys is to have complete visibility and comprehensive intelligence across all of the authorized SSH keys they use. Once this is accomplished, automation can be used to eliminate persistent backdoors and reduce risk of key theft and undetected access.”
For more information, please visit: https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities
Venafi is the cybersecurity market leader and inventor of machine identity protection, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, code signing, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise—on premises, mobile, virtual, cloud and IoT—at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.
With over 30 patents, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 5000 organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; the top four credit card issuers; three out of the top four accounting and consulting firms; four of the top five U.S., U.K., Australian and South African banks; and four of the top five U.S. retailers. Venafi is backed by top-tier investors, including TCV, Foundation Capital, Intel Capital, QuestMark Partners, Mercato Partners and NextEquity.
For more information, visit: www.venafi.com.