Skip to main content
banner image
venafi logo

KOBALOS Linux Malware Targets SSH Machine Identities and Propagates Through SSH

KOBALOS Linux Malware Targets SSH Machine Identities and Propagates Through SSH

February 18, 2021 | A. Morris

Researchers continue to uncover new malware targeting SSH machine identities on Linux and Unix-based platforms every day. A recent new research by ESET unveils the details of a new multi-platform backdoor dubbed Kobalos, targeting Linux, FreeBSD, Solaris, and possibly AIX and Windows as well. The backdoor is designed to steal SSH machine identities and propagate through SSH.

The targets of Kobalos were in Europe, North America, and Asia and included high profile servers in academia (including high-performance computers), an endpoint security vendor, and a large ISP.

ESET researchers discovered an SSH machine identity stealer on compromised machines. It is plausible that the backdoor replaced the /usr/bin/ssh file with a modified executable—a trojanized OpenSSH client—that recorded SSH credentials and keys and target hostname and wrote them to an encrypted file.

According to the report, this may be one of the ways Kobalos propagates and can explain how numerous interconnected academic networks were compromised.

How can Venafi help?

Using Venafi SSH Protect to manage your SSH machine identities, you can discover all SSH machine identities in the environment, who they belong to and what they are used for. This comprehensive visibility will help you maximize threat detection in encrypted traffic, maintain active control over SSH keys and centralize your machine identity governance and administration.

Once you have a complete inventory of your SSH machine identities, you should map all trust relationships and identify and remove any orphaned and duplicate authorized keys. You should also ensure passphrase protection, key length and algorithms. Furthermore, you should assign ownership of all access granting keys, and monitor and analyze key-based access usage.

Here’s a list of actions you should take to protect your SSH machine identities.

  • Control SSH identities and authorized keys
  • Control SSH configuration files and known hosts files to prevent any tampering
  • Implement clearly defined SSH key management policies
  • Define SSH hardening configurations
  • Create inventory and remediation policy
  • Establish continuous monitoring and audit process
  • Automate the whole process
Further reading:

Are you securing your SSH connections? Get a free assessment with SSH Protect!

Like this blog? We think you will love this.
Featured Blog

All About SSH Key Management and SSH Machine Identities

SSH is a secure way to initiate remote computer access and en

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more