Secure Shell (SSH) machine identities and user keys play a critical role in providing the highest level of privileged access. So, it’s no surprise that cybergangs and threat actors continue to target the cloud and unmanaged SSH machine identities. Recently we saw Hildegarde and Pro-Ocean using stolen or unmanaged SSH keys and a new report shows that unmanaged SSH keys are again, the prime target.
Researchers have identified a new Linux rootkit, dubbed Facefish, that targets Linux x64 systems to inject malicious code, hijack SSH servers and install a backdoor that can steal sensitive information as well as SSH credentials and keys. Unlike other SSH-targeting malware, Facefish doesn’t immediately use the resources to mine cryptocurrency or to pivot to other systems and likely compromises targets for sale to other cybercriminals to allow them to access the victim in the future.
Juniper Threat Labs observed an attack that attempted to inject malicious code into SSH. The attack begins with an exploit against the Control Web Panel (CWP) server administration web application, injects code and uses a custom, encrypted C2 protocol to exfiltrate credentials and machine capabilities.
NetLab reported that the attack is on the OpenSSH implementation of client/server. According to NetLab, Facefish first attempts to determine which processes are running on the machine and if the code is injected into ssh/sshd processes.
If a user logs on through SSH, Facefish executes a series of backdoor behaviors in order to steal the credentials and keys. If the sshd process exists, the backdoor process will exit and will start to periodically beacon to the command-and-control (C2) server to exfiltrate data, including a listing of system information such as CPU and OS details, amount of RAM, available disk space, OpenSSH configuration and credential data.
When a client session is created using SSH and connects to the machine, or when sshd passively receives an external connection, Facefish steals the login credentials and keys and sends them to the C2.
Juniper had a hard time determining the motivations behind the attack, but stated that the malware catalogs detailed system information and credentials but does not immediately mine cryptocurrency or amplify the attack by attempting to spread further and therefore is suspected that “access to the compromised machines will be sold or rented as part of a botnet.”
Using Venafi SSH Protect to manage your SSH machine identities, you can discover all SSH machine identities in the environment, identify who they belong to and what they are used for. This comprehensive visibility will help you maximize threat detection in encrypted traffic, maintain active control over SSH keys and centralize your machine identity governance and administration.
Here’s how Venafi SSH Protect helps you manage and secure your enterprise SSH keys and connections:
How well are you managing your SSH machine identities?