Executive Summary

• SGI has observed activity indicating unauthorized injection of SSH keys on monitored systems.
• This activity could impact any organization utilizing SSH for remote access and system administration.
• The likely objective is to establish persistent and covert access to compromised systems.
• The business risk level is considered medium to high, depending on the criticality of affected systems.

Organizations should proactively audit SSH configurations and implement monitoring to detect and prevent unauthorized key additions, as attackers may broaden their target scope in the coming months.

Observed Activity (SGI Sensors)

SGI sensors detected a suspicious network connection originating from IP address 135.0.208.122 (ASN: AS54614, located in Toronto, CA) involving a TCP connection. The connection contained a payload identified as a potentially malicious SSH authorized key. This observation suggests an attempt to inject unauthorized keys into the system’s SSH configuration, potentially granting the attacker persistent access. The hash of the payload was flagged by VirusTotal, further indicating malicious intent.

Malware/Technique Overview

The observed activity is attributed to a campaign involving the injection of malicious SSH keys. The attacker’s goal is to add their public key to the authorized_keys file of user accounts (likely root) on targeted systems. Successful injection allows them to log in without needing the user’s password, bypassing standard authentication mechanisms. This grants persistent and stealthy access, enabling further malicious activities, such as data exfiltration or lateral movement within the network.

• T1190 – Exploit Public-Facing Application
• T1078.003 – Valid Accounts: Local Accounts
• T1098.004 – Account Manipulation: SSH Authorized Keys
• T1059.004 – Command and Scripting Interpreter: Unix Shell
• T1555.003 – Credentials from Password Stores: SSH Keys
• T1021.004 – Remote Services: SSH
• T1047 – Windows Management Instrumentation

VirusTotal Snapshot

VirusTotal analysis of the detected file (SHA256: a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) shows a score of 29/62 malicious detections. 33 vendors did not detect the file. Some vendors identify the file as related to SSH key manipulation. The file has several aliases suggesting it has been seen multiple times with slight variations.

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL

index=* src_ip=135.0.208.122 OR hash="a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2" 
| table _time, host, src_ip, dest_ip, user, file_hash

This query searches for network connections from the identified IP address or files matching the malicious hash. Validate results by correlating with SSH login events and authorized key modifications.

Elastic/Kibana KQL

src_ip:"135.0.208.122" OR hash:"a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2"

This KQL query searches for events containing the malicious IP or hash. Review events for unusual SSH activity, especially involving root or privileged accounts.

Containment, Eradication & Recovery

1. Isolate affected systems from the network to prevent further compromise.
2. Block the malicious IP address (135.0.208.122) at the firewall level.
3. Scan all systems for unauthorized SSH keys in authorized_keys files, paying close attention to root and other privileged accounts.
4. Reimage any systems confirmed to be compromised to ensure complete eradication.
5. Reset passwords for all user accounts on affected systems, and enforce multi-factor authentication (MFA) where possible.

Inform IT and leadership about the incident, steps taken, and potential impact. Preserve all relevant logs and artifacts for forensic analysis.

Hardening & Preventive Controls

1. Implement Multi-Factor Authentication (MFA) for all SSH logins (NIST CSF: PR.AC-1, CIS Control 6).
2. Regularly audit SSH keys and remove any unauthorized or unknown keys (NIST CSF: PR.AC-4, CIS Control 5).
3. Enforce strict password policies, including complexity requirements and regular password changes (NIST CSF: PR.AC-7, CIS Control 14).
4. Implement network segmentation to limit the impact of a potential breach (NIST CSF: PR.DS-5, CIS Control 13).
5. Keep systems patched and up-to-date, with a focus on security vulnerabilities (NIST CSF: PR.IP-1, CIS Control 7).
6. Monitor SSH logs for suspicious activity, such as failed login attempts or unauthorized key modifications.

If SSH is exposed to the internet, consider using a VPN or SSH bastion host for added security.

Business Impact & Risk Outlook

Successful SSH key injection can lead to significant operational disruption, data breaches, and reputational damage. Attackers can use compromised systems to launch further attacks, steal sensitive information, or disrupt critical business processes. Legal and regulatory compliance may also be affected, especially if sensitive data is exposed.

In the next 3-6 months, we anticipate an increase in SSH-based attacks, targeting organizations with weak SSH security configurations. Attackers will likely leverage automated tools to scan for vulnerable systems and exploit misconfigurations.

Appendix

Redacted Payload Snippet:

...redacted malicious SSH public key...

Assumptions & Data Gaps:

• SensorName, Network.Port, PayloadSample and ImageURL were not provided in the input.
• Exact initial access vector is unknown.

References:

• VirusTotal Sample

Protect your organization from emerging threats with Sentry Global Intelligence & Consulting Group (SGI). Our expert team provides comprehensive security solutions tailored to your specific needs.

• Request an Incident Readiness Review
• 24/7 Monitoring with Sentry365™
• vCISO Advisory