A close look at the prominent malware campaigns in 2019 revealed that an increasing number of commodity malware integrated the misuse of SSH machine identities into their attacks. Campaigns such as cryptomining, spam, adware and banking trojans targeting Windows, Unix-like and MacOS are now equipped with SSH capabilities for credential theft, persistence and lateral movement.
In most cases, the malware added the attacker’s SSH key to the authorized_keys file on the victim’s machine, enabling the attacker to remain persistent on the device. In other cases, the malware was able to brute force weak SSH authentication on public-facing servers and gain access to the target, steal credentials and host information to laterally move across the network and infect further machines.
Some examples of successful malware campaigns that have leveraged SSH capabilities include:
SSH machine identities are used to secure remote connections and automate processes and workloads within a network and in the cloud, giving privileged access to organizations’ most critical systems, including servers and databases. This makes them highly valuable to attackers.
But until recently, only the most sophisticated, well-financed Advanced Persistent Threats (APT) were using this capability in the post exploitation phase once infiltrated to the network, as well as read teams in their assessments. Now, it seems that there is a ‘trickle-down’ effect, where SSH capabilities are becoming part of “off-the-shelf” commodity malware.
In light of the scale of these campaigns and their distribution, what makes this “commoditization” so worrying is that when an attacker is able to backdoor or steal SSH keys for a high profile or high value target, they may monetize this access and sell it through dedicated channels back to nation state-affiliated APTs for further exploitation.
TrickBot is a prime example of this shift towards collaboration between crime gangs and APT (nation states) groups. Formerly a banking trojan, TrickBot has evolved into a universal module-based crimeware used for various criminal activities, such as personal and banking information theft, distribution and delivery of ransomware and cryptomining. SentinalOne research by Vitali Kremez showed ties between the Russian crime gang behind TrickBot and the North-Korean-sponsored APT group Lazarus. The report also explained that the TrickBot framework, dubbed “Anchor Project”, was sold as a service to the group for cyberespionage and monetization. This connection is unique since it shows collaboration between a Russian crime gang and a North-Korean nation state group.
How to protect against SSH abuse?
The best defence against SSH abuse in your organization is to ensure you have complete visibility and intelligence over every authorized SSH key in the enterprise, as well as out to the cloud. However, that is just the first step: attackers may not abuse only existing machine identities, they may also insert their own SSH machine identities into target environments. Therefore, it is critical that you focus not just the known keys, but on discovering and analysing all keys that are being used across your organization.
How much do you know about your organization’s SSH keys?