Trickbot has garnered a fair share of news coverage and, consequently, it has been analyzed by many security organizations. What makes this malware so dangerous and what are the lessons to be learned?
First, let’s take a look at the nature of the beast. Trickbot is dangerous because it evolves, spreads via multiple mechanism (email and network) and targets credentials (Mimikatz). The malware started originally as a Banking Trojan distributed via spear phishing email attachment with hidden script concealed by font coloring. This technique has been proven to be a successful one for adversaries and has resulted in hundreds of millions of clients being infected. The sophisticated malware even appears to be capable of stopping standard Microsoft Windows defense techniques.
What makes this malware especially interesting is that it searches for credentials stored in memory, including SSH keys used by tools like Putty—one of the 10 most popular tools for system administrators. Attackers can use these credentials as a backdoor to access critical assets and exfiltrate data again using the SSH protocol.
The latest Trickbot is adept at stealing SSH keys. And while security teams have enforced password change policies and have spent billions on identity management for passwords, there’s little awareness about SSH keys and their dangers. SSH keys automate and have control over systems in the datacenter and the cloud. Stealing them gives hackers control and gives them the power to create long-term back doors.
According to Kevin Bocek, Venafi vice president of security strategy and threat intelligence, “Hackers are wising up to hidden gem: SSH machine identities given them master control businesses sensitive computers. Unfortunately for many businesses, Trickbot allows hackers to gain total control because of stolen SSH keys.”
To learn more about managing SSH keys go to https://www.venafi.com/education-center/ssh/6-steps-for-managing-ssh-keys
Finding an SSH host is like finding the keys to the kingdom. How to strategize your cybersecurity response to protect your SSH key pairs from becoming bait for attackers.