Skip to main content
banner image
venafi logo

3 Lessons Trickbot Teaches Us about SSH

3 Lessons Trickbot Teaches Us about SSH

Trickbot SSH exploit
November 27, 2019 | Bart Lenaerts

Referred to by some as the “Malware of 2019,”

Trickbot has garnered a fair share of news coverage and, consequently, it has been analyzed by many security organizations. What makes this malware so dangerous and what are the lessons to be learned?

First, let’s take a look at the nature of the beast. Trickbot is dangerous because it evolves, spreads via multiple mechanism (email and network) and targets credentials (Mimikatz). The malware started originally as a Banking Trojan distributed via spear phishing email attachment with hidden script concealed by font coloring. This technique has been proven to be a successful one for adversaries and has resulted in hundreds of millions of clients being infected. The sophisticated malware even appears to be capable of stopping standard Microsoft Windows defense techniques.

What makes this malware especially interesting is that it searches for credentials stored in memory, including SSH keys used by tools like Putty—one of the 10 most popular tools for system administrators. Attackers can use these credentials as a backdoor to access critical assets and exfiltrate data again using the SSH protocol.



What are the lessons we should learn about privileged access from Trickbot? 

  1. SSH credentials need to be protected
    Credentials are the new prizes for adversaries. In particular, stolen SSH keys give attacker an array of opportunities to move lateral and exfiltrate data—all nicely built into the SSH protocol. Since SSH keys don’t expire and most organizations (even the most sophisticated banks) never change them, hackers can easily sell the credentials on the dark web or use them later in a deeper multi-staged attack.

  2. SSH visibility is critical
    Adversaries always move to path of least resistance. Unfortunately for many businesses security teams have no clue when they’re Pwned. Without visibility over all the SSH keys in use across datacenter or cloud coupled with the automation needed to change them, these hacks and increasing theft of SSH keys will only continue. CISOs would find it insane not to have password change policies in place, unfortunately the same is not true for SSH machine identities. 

  3. SSH requires proactive resiliency
    As Trickbot evades malware protection like Windows Defender, a continuous proactive approach like scanning for SSK keys, monitoring for duplicate key usage, implementing SSH usage controls (eliminating port forwarding) and frequently replacing keys. This can have a big effect on the overall security posture of the enterprise environment and prevent further damage. Simply said, continuous monitoring, applying policies and even proactively replacing keys must be done for all credentials used by human or machine identities


The latest Trickbot is adept at stealing SSH keys. And while security teams have enforced password change policies and have spent billions on identity management for passwords, there’s little awareness about SSH keys and their dangers. SSH keys automate and have control over systems in the datacenter and the cloud. Stealing them gives hackers control and gives them the power to create long-term back doors.

According to Kevin Bocek, Venafi vice president of security strategy and threat intelligence, “Hackers are wising up to hidden gem: SSH machine identities given them master control businesses sensitive computers. Unfortunately for many businesses, Trickbot allows hackers to gain total control because of stolen SSH keys.”

To learn more about managing SSH keys go to

Finding an SSH host is like finding the keys to the kingdom. How to strategize your cybersecurity response to protect your SSH key pairs from becoming bait for attackers.



Related posts


Like this blog? We think you will love this.
Featured Blog

All About SSH Key Management and SSH Machine Identities

SSH is a secure way to initiate remote computer access and en

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Bart Lenaerts
Bart Lenaerts
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more