Skip to main content
banner image
venafi logo

How Threat Actors Misuse SSH Certificates in Cyber-Attacks

How Threat Actors Misuse SSH Certificates in Cyber-Attacks

January 11, 2022 | Scott Carter

Cybercriminals are constantly looking for new ways to exploit systems and execute attacks. Attackers diligently look for misconfigurations and weak authentication methods in public-facing remote services. In particular, the number of attacks in the cloud that abuse SSH password-based authentication continues to grow at an alarming rate.

In many cases, lack of oversight and controls have led to violations of corporate access policies. This can result in dangerous backdoors that facilitate the launch of successful attacks through the otherwise trusted encrypted tunnels. Let’s take a closer look at the techniques threat actors use to exploit SSH keys, and ensure your network isn’t falling prey to any of these traps.

How well are your SSH machine identities secured? Find out now!
">Are Your SSH Machine Identities Secured? Find Out Now!
Exposed services

Exposing an application service to the internet is a common misconfiguration that allows access to an internal system from anywhere and acts as a common attack vector. Attackers can leverage external-facing remote services as a point of entry to an application hosted in the cloud, aiming to compromise the underlying instance.

Another less reported attack vector on applications with exposed SSH services is for an attacker to use compromised SSH keys and credentials. Attackers can gather SSH keys and credentials from source control, public repositories, or open buckets. They can also steal them from machines compromised in parallel or unrelated campaigns, or even purchase them on remote access markets where they are sold as-a-service.


Advanced persistent threat (APT) attacks typically use a combination of discovered machine identity vulnerabilities and malware that exploit weak or improperly managed machine identities to achieve their goals. A primary goal of an APT attack is to remain persistent on the victim’s network. SSH machine identities are extremely useful to attackers because they support and enable persistence, lateral movement and defensive evasion.

For example, one APT group was able to use a feature that allowed any user to trigger an SSH connection from the cloud provider to the managed server, with the SSH agent forwarding feature enabled. This allowed the attacker to relay authentication to any other server within the same cloud, achieving remote code execution (RCE) with root privileges.

In another recent attack, cybercriminals brute-forced an exposed SSH service to infect the host with a crypto-miner and used it as a launchpad for further large-scale attacks. In yet another incident, skilled attackers managed to get initial access on a Linux system through what appeared to be a brute-force attack on an exposed SSH service and moved from there to the on-premises network.

In APT attacks, cybercriminals use the following tools:

  1. SSH backdoors
    Unfortunately, SSH can be used by both developers and attackers to ensure access to a server. Attackers who can compromise a machine can enable the SSH service to allow SSH communication and by that means establish persistence on the target. This backdoor access allows attackers to blend into legitimate traffic, avoid detection and pass through any firewalls that are in place.

    Another common technique to establish persistence on a target where SSH service is enabled is to insert an attacker owned SSH public key to the authorized keys file on the server to create a backdoor that ensures remote connection to the server without notice.

  2. Legitimate SSH services
    Attackers often use legitimate and preinstalled remote services with valid accounts on compromised machines to evade defense mechanisms. Attackers collect insecure machine identities from their targets and use them to establish SSH communication, bypass any access restrictions on traffic, and raise no suspicions or flag any security controls.

  3. SSH keys and “wormlike” malware
    Many APT attacks are designed to steal and exfiltrate SSH keys and known hosts information to enable lateral movement to more and more systems.

In recent years, an increasing number of commodity malware has integrated the misuse of SSH machine identities into attacks. Campaigns such as crypto-mining, spam, adware and banking trojans are now equipped with SSH capabilities for credential theft, persistence and lateral movement. In most cases, the malware is used to add the attacker’s SSH key to the authorized keys file on the victim’s machine, enabling the attacker to remain persistent on the device. In other cases, the malware was able to brute-force weak SSH authentication on public-facing servers and gain access to the target, steal credentials and host information to laterally move across the network and infect further machines.

Create a strategy to prevent these vulnerabilities

Whether a threat is designed to gain initial access to a target machine through SSH, insert attacker-owned keys for persistence or collect SSH keys to laterally move like a “worm” across the network, malware is developed with machine identity in mind.

What does this mean? Your security strategies must also be developed with machine identities in mind! As the vulnerabilities outlined above demonstrate, neglecting to properly manage and protect your SSH machine identities is too big a risk to take.


Secure your SSH machine identities today with Venafi SSH Protect!


Related Posts

Like this blog? We think you will love this.
how ssh works
Featured Blog

How Secure Shell (SSH) Keys Work

How it works SSH is a type of network protocol that creates a cryptographically secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more