Venafi Media Alert: Multiple Malware Campaigns Demonstrate How Cybercriminals Exploit SSH Keys
April 23, 2020
Previously limited only to sophisticated threat actors, SSH was exploited in multiple high-profile malware campaigns in 2019
SALT LAKE CITY – April 23, 2020 – Secure Shell (SSH) provides an authenticated connection between two machines, enabling encrypted data communications and remote command execution. SSH machine identities, also known as SSH keys, control workloads running in cloud computing environments, data center operations, critical infrastructure, VPN connections and more. In addition, SSH keys provide privileged access to critical systems like servers and databases.
“Attackers can use SSH keys to gain undetected root access to critical systems and data, allowing them to do nearly anything from circumventing security controls, injecting fraudulent data, subverting encryption software—or even installing malware,” said Blachman. “Until recently, only sophisticated, well-financed threat actors had this kind of capability. Today, they are becoming a standard part of cybercriminal toolkits, where attackers use SSH to establish backdoors that can remain undetected for years. SSH capabilities have trickled-down into off-the-shelf malware, which are available as a service targeting Windows, Linux and MacOS machines.”
Security researchers at Venafi routinely examine samples of high-profile malware campaigns to detect how SSH capabilities are being utilized. In most cases, the malware added an attacker’s SSH key to a list of authorized keys in a file on a target machine. This malicious SSH key enables the attacker to persist on the victim’s machine. In other cases, users’ SSH keys were collected and stolen for lateral movement and further exploitation.
According to Blachman, these four examples demonstrate the range of successful malware campaigns that leveraged SSH in 2019:
Skidmap: A kernel-mode rootkit, Skidmap gains backdoor access to a targeted machine by adding the attacker’s public SSH key to the authorized key file. Skidmap uses exploits, misconfigurations or exposure to the internet to gain root or administrative access to the system and drop cryptomining malware.
TrickBot: Originally a banking trojan that first appeared in 2016, TrickBot has become a flexible, universal, module-based crimeware solution that has shifted focus to enterprise environments over the years. It incorporates many features from network profiling, mass data collection and incorporation of lateral traversal exploits. Last year, TrickBot added credential-grabbing capabilities for both PuTTY (SSH client for Microsoft) and OpenSSH (a suite of open source SSH tools for Linux). In addition to targeting credentials, the malware is designed to look for information, such as the hostname and username, which are used in lateral movement.
CryptoSink: This is a cryptomining campaign that exploited a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems on Windows and Linux platforms to mine XMR cryptocurrency. CryptoSink created a backdoor to the targeted server by adding the attacker’s public SSH key to the authorized key file on the victim’s machine.
Linux Worm: This worm targets vulnerable Exim mail servers on Unix-like systems to deliver Monero cryptocurrency miners. The worm created a backdoor to the server by adding its own SSH public key and enabling the SSH server if it was disabled.
Blachman added: “Despite the rise in malware campaigns that leverage SSH keys and the fact that they are becoming more accessible and available, organizations routinely overlook the importance of protecting SSH machine identities. The only way for organizations to protect themselves from malware that targets SSH keys is to have complete visibility and comprehensive intelligence across all of the authorized SSH keys they use. Once this is accomplished, automation can be used to eliminate persistent backdoors and reduce risk of key theft and undetected access.”