Cybercriminals are constantly looking for new ways to exploit systems and execute attacks. Attackers diligently look for misconfigurations and weak authentication methods in public-facing remote services. In particular, the number of attacks in the cloud that abuse SSH password-based authentication continues to grow at an alarming rate.
In many cases, lack of oversight and controls have led to violations of corporate access policies. This can result in dangerous backdoors that facilitate the launch of successful attacks through the otherwise trusted encrypted tunnels. Let’s take a closer look at the techniques threat actors use to exploit SSH keys, and ensure your network isn’t falling prey to any of these traps.">Are Your SSH Machine Identities Secured? Find Out Now!
Exposing an application service to the internet is a common misconfiguration that allows access to an internal system from anywhere and acts as a common attack vector. Attackers can leverage external-facing remote services as a point of entry to an application hosted in the cloud, aiming to compromise the underlying instance.
Another less reported attack vector on applications with exposed SSH services is for an attacker to use compromised SSH keys and credentials. Attackers can gather SSH keys and credentials from source control, public repositories, or open buckets. They can also steal them from machines compromised in parallel or unrelated campaigns, or even purchase them on remote access markets where they are sold as-a-service.
Advanced persistent threat (APT) attacks typically use a combination of discovered machine identity vulnerabilities and malware that exploit weak or improperly managed machine identities to achieve their goals. A primary goal of an APT attack is to remain persistent on the victim’s network. SSH machine identities are extremely useful to attackers because they support and enable persistence, lateral movement and defensive evasion.
For example, one APT group was able to use a feature that allowed any user to trigger an SSH connection from the cloud provider to the managed server, with the SSH agent forwarding feature enabled. This allowed the attacker to relay authentication to any other server within the same cloud, achieving remote code execution (RCE) with root privileges.
In another recent attack, cybercriminals brute-forced an exposed SSH service to infect the host with a crypto-miner and used it as a launchpad for further large-scale attacks. In yet another incident, skilled attackers managed to get initial access on a Linux system through what appeared to be a brute-force attack on an exposed SSH service and moved from there to the on-premises network.
In APT attacks, cybercriminals use the following tools:
In recent years, an increasing number of commodity malware has integrated the misuse of SSH machine identities into attacks. Campaigns such as crypto-mining, spam, adware and banking trojans are now equipped with SSH capabilities for credential theft, persistence and lateral movement. In most cases, the malware is used to add the attacker’s SSH key to the authorized keys file on the victim’s machine, enabling the attacker to remain persistent on the device. In other cases, the malware was able to brute-force weak SSH authentication on public-facing servers and gain access to the target, steal credentials and host information to laterally move across the network and infect further machines.
Whether a threat is designed to gain initial access to a target machine through SSH, insert attacker-owned keys for persistence or collect SSH keys to laterally move like a “worm” across the network, malware is developed with machine identity in mind.
What does this mean? Your security strategies must also be developed with machine identities in mind! As the vulnerabilities outlined above demonstrate, neglecting to properly manage and protect your SSH machine identities is too big a risk to take.
Secure your SSH machine identities today with Venafi SSH Protect!