Executive Summary

• SGI detected a potentially malicious SSH authorized_keys file.
• The activity originated from an IP address in China (221.229.218.50).
• The likely objective is unauthorized access to systems via SSH.
• The business risk is low due to the low severity and the need for local execution, but could escalate if successful.
• We anticipate attackers will continue to leverage web redirects to deliver malicious payloads targeting SSH configurations.

Observed Activity (SGI Sensors)

SGI sensors detected a suspicious file being accessed, identified as a potentially malicious SSH authorized_keys file. The file originated from an IP address in China. The file hash was submitted to VirusTotal, and the results indicate it has been flagged as malicious by multiple vendors. The activity suggests a possible attempt to gain unauthorized access to systems via SSH key compromise.

Malware/Technique Overview

The detected malware family is identified as related to SSH authorized_keys manipulation via web redirects. The attacker likely uses a compromised website or malicious advertisement to redirect the victim to a server hosting the malicious `authorized_keys` file. If a user downloads this file and places it in their `.ssh` directory (or a system-wide equivalent), the attacker can gain unauthorized SSH access to the affected system.

• MITRE ATT&CK: T1199 – Drive-by Compromise
• MITRE ATT&CK: T1550.002 – Use Alternate Authentication Material: SSH Keys

VirusTotal Snapshot

VirusTotal analysis shows 29 vendors flagged the sample as malicious, while 33 vendors did not detect it. The file is described as HTML, suggesting it may involve a redirection or other web-based attack vector.

The following aliases were also associated with this sample:
20250814-195003-d22b649808a2-1-redir__root__ssh_authorized_keys,
20250814-191502-c1a917acabd3-1-redir__root__ssh_authorized_keys,
authorized_keys, etc.

• VirusTotal Sample

Indicators of Compromise (IoCs)

We recommend monitoring these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL:

index=* (sha256="a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2" OR ip_address="221.229.218.0/24")
| table _time, host, source, eventtype, user, file_path, ip_address, sha256

This query searches for events containing the malicious SHA256 hash or IP range. It’s important to validate any hits to confirm they are related to the malicious activity and not false positives.

Elastic/Kibana KQL:

(sha256 : "a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2" or ip : "221.229.218.0/24")

This query searches for events containing the malicious SHA256 hash or IP range. It’s important to validate any hits to confirm they are related to the malicious activity and not false positives.

Containment, Eradication & Recovery

1. Isolate affected systems from the network to prevent further compromise.
2. Block the malicious IP address (221.229.218.50) at the firewall.
3. Scan systems for the malicious `authorized_keys` file and remove it. Pay close attention to user `.ssh` directories and system-wide configurations (e.g., `/etc/ssh/`).
4. If a system has been actively compromised, consider reimaging it from a known good backup.
5. Reset SSH keys and passwords for any potentially affected accounts.

Inform relevant IT staff and leadership about the incident and remediation steps. Preserve evidence (e.g., system logs, network traffic) for potential forensic analysis.

Hardening & Preventive Controls

• Multi-Factor Authentication (MFA): Enforce MFA for all SSH access to prevent unauthorized logins, even with compromised keys. (NIST CSF: PR.AC-1, CIS Control 6)
• Endpoint Detection and Response (EDR) Tuning: Configure EDR solutions to detect and alert on suspicious file modifications, especially in SSH configuration directories. (NIST CSF: DE.CM-1, CIS Control 8)
• Network Segmentation: Segment the network to limit the impact of a successful SSH compromise. (NIST CSF: PR.AC-4, CIS Control 14)
• Principle of Least Privilege: Grant users only the minimum necessary privileges to perform their tasks. (NIST CSF: PR.AC-3, CIS Control 5)
• Patch Management SLAs: Maintain a strict patch management schedule to address vulnerabilities in SSH and related software. (NIST CSF: PR.MA-1, CIS Control 7)
• Disable Password Authentication: Where possible, disable password-based SSH authentication and rely solely on key-based authentication with strong key management practices.

Business Impact & Risk Outlook

A successful SSH key compromise can lead to unauthorized access to critical systems, potentially causing data breaches, service disruptions, and reputational damage. Legal and compliance risks may arise if sensitive data is exposed. We anticipate attackers will continue to target SSH configurations using various techniques, including web redirects and social engineering. Organizations should prioritize SSH security and implement robust preventive controls.

Appendix

Assumptions & Data Gaps:

• We are assuming that any system which downloaded this malicious `authorized_keys` file is at risk of compromise.
• The specific payload of the redirect is not available.
• The sensor name and network port were not provided.

References:

• VirusTotal Sample

This is a developing situation, and SGI continues to monitor for related activity. Ensure your organization is prepared to respond to similar incidents. Request an Incident Readiness Review to assess your security posture. Leverage 24/7 Monitoring with Sentry365™ for continuous threat detection and response. Consider a vCISO Advisory engagement for expert guidance on security strategy and risk management.