Skip to main content
banner image
venafi logo

Poorly Managed SSH Keys Are A Favorite Target for Malware

Poorly Managed SSH Keys Are A Favorite Target for Malware

ssh-malware-attack-on-machine-identites
March 8, 2021 | Kevin Jacque

As many of us look to put the madness of 2020 behind us, one thing is still evidently clear. In 2021, we’re just not going to be getting a break from hackers who are not slowing down their efforts to compromise SSH machine identities. But SSH malware was bad enough already. 2020 brought us new SSH focused malware like Lemon Duck, Fritz Frog, and Doki. Not to mention TrickBot and Emotet, which roared back to life with new variants as well. Even though we are barely into 2021, hackers are already off to a hot start with Kobalos, Hildegard, and Pro-Ocean hitting the scene.

While each malware is slightly different in its approach and end goal, one thing is clear: attackers are clearly setting their sights on cloud and DevOps environments. As such, they are mis-using unmanaged SSH machine identities for persistence and to move laterally throughout their victim’s environments. These types of malware are all becoming more sophisticated as time goes on—making them all the more difficult to detect without having all of your machine identities under management.

Hildegard uses a legitimate Linux process name to disguise its nefarious activities within Kubernetes clusters to mine for crypto currency. But it is still unknown how Kobalos infiltrated its victims as it has many obfuscation tactics built in. And Pro-Ocean will remove monitoring agents to avoid being found on its infected hosts. This begs the question: with unmanaged SSH machine identities, how sure can you be that one of these types of malware isn’t on your network already? And how agile do you have to be to remove compromised SSH keys if they are on your network?

How Venafi Can Help

The first step to preventing any SSH related attack is having complete visibility of all the SSH machine identities in your organization. One of the main things Venafi’s SSH Protect can give you is an accurate inventory of SSH keys across your environment. Mapping all SSH trust relationships allows you to analyze and monitor key usage, giving you the ability to quickly detect malicious activity and remove compromised keys with the click of a button.

While discovering what is already in the environment is a key to successfully managing SSH machine identities, it is crucial to get SSH keys under management as quickly as possible. With new machines coming on and off-line all the time, having Venafi built into the build process allows for these machine identities to have a secure lifecycle. This allows machine identities to be easily brought into inventory as the machines come online. The immediate onboarding of these SSH keys gives applications teams the access they need to their workloads while adding an extra layer of security against bad actors.

Along with having visibility and control of SSH keys from their creation, clearly defining SSH key management policies is a cornerstone in protecting these machine identities. Once SSH policies are configured, it allows you to quickly detect if there are keys in the environment that do not meet the set policy and quickly remove them.

The final step to preventing an SSH related attack is to automate the management of your SSH keys and enforcement of your SSH policies. For example, if your organization’s policy dictates that keys must be rotated annually, an automated task can be created to ensure that all keys that are a member of the specific keyset are rotated. This gives your organization the peace of mind that your policies around SSH are being enforced in a quickly auditable way. Better yet, it’s all managed for you through Venafi SSH Protect.

Related Posts

Like this blog? We think you will love this.
what-is-the-future-of-ssh-certificates
Featured Blog

SSH Certificates: The Future of SSH

But many organizations are still unsure about the benefits of SSH Certificates.

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS MIM For Dummies
eBook

TLS Machine Identity Management for Dummies

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Kevin Jacque
Kevin Jacque
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more