Executive Summary

• SGI has detected a low-severity intrusion attempt involving the injection of a potentially malicious SSH authorized key.
• The impacted systems are those with exposed SSH services and weak authentication practices.
• The likely objective is unauthorized remote access and control of targeted systems.
• The business risk is moderate, potentially leading to data breaches, service disruption, and reputational damage.

Organizations should proactively review SSH configurations and implement multi-factor authentication to mitigate future risks.

Observed Activity (SGI Sensors)

On August 15, 2025, SGI sensors detected suspicious network activity originating from IP address 14.103.120.152, associated with AS4811 (China Telecom). The observed activity involved a TCP connection and included a payload that was identified as a potentially malicious SSH authorized key. This suggests an attempt to gain unauthorized access to a system by injecting a key into the authorized_keys file.

Malware/Technique Overview

The detected malware family is identified as “20250814-195003-d22b649808a2-1-redir__root__ssh_authorized_keys”, which suggests an attempt to inject an SSH key into the /root/.ssh/authorized_keys file. This technique allows attackers to bypass password authentication and gain direct access to the system.

• T1190 – Exploit Public-Facing Application
• T1078.003 – Valid Accounts: Local Accounts
• T1098.004 – Account Manipulation: SSH Keys
• T1555.004 – Credentials from Password Stores: SSH Keys

VirusTotal Snapshot

VirusTotal analysis shows 29 malicious detections out of 62 total scans, with 33 undetected. The file is described as “HTML”. Multiple vendors have flagged this sample under various names, including variants of “redir__root__ssh_authorized_keys” and simply “authorized_keys”. The overall reputation score is -34, indicating a high probability of malicious intent.

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Utilize the following queries to identify potential exploitation attempts within your environment.

Splunk SPL

index=* source=sshd "PubkeyAccepted" OR "Accepted publickey" | search user=* | table _time, user, src_ip, authentication_method, pubkey_fingerprint

This query searches for successful SSH public key authentication events, displaying the timestamp, username, source IP, authentication method, and public key fingerprint. Investigate any unexpected or unknown users or source IPs.

Elastic/Kibana KQL

event.module: "ssh" AND event.action:"ssh_login" AND event.outcome:"success"

This query searches for successful SSH login events. Filter by source IP and username to identify any anomalous activity.

Containment, Eradication & Recovery

1. Isolate: Immediately isolate any affected systems from the network to prevent further compromise.
2. Block: Block the identified malicious IP address (14.103.120.152) at the firewall level.
3. Scan: Perform a full system scan using updated anti-malware solutions to detect and remove any malicious files or backdoors.
4. Reimage: If the system is heavily compromised, consider reimaging it from a clean backup or installation media.
5. Reset Credentials: Reset the passwords for all accounts on the affected system, especially those with administrative privileges.

Ensure clear communication between IT and leadership during the containment process.

Preserve all logs and artifacts for forensic analysis.

Hardening & Preventive Controls

• Multi-Factor Authentication (MFA): Implement MFA for all SSH accounts, especially those with administrative privileges. (NIST CSF: PR.AC-1, CIS Controls: 6.3)
• EDR Tuning: Configure Endpoint Detection and Response (EDR) systems to detect suspicious SSH activity, such as unauthorized key modifications. (NIST CSF: DE.CM-1, CIS Controls: 10.1)
• Network Segmentation: Implement network segmentation to limit the blast radius of a potential compromise. (NIST CSF: PR.AC-5, CIS Controls: 14.1)
• Least Privilege: Apply the principle of least privilege to all user accounts, limiting access to only what is necessary. (NIST CSF: PR.AC-3, CIS Controls: 5.1)
• Patch SLAs: Enforce strict patch management SLAs to ensure systems are up-to-date with the latest security patches. (NIST CSF: PR.MA-1, CIS Controls: 7.1)
• Disable Password Authentication: Where possible, disable password authentication for SSH and rely solely on key-based authentication with strong passphrases.

Business Impact & Risk Outlook

A successful SSH key injection attack can lead to significant operational disruption, data breaches, and potential legal and reputational damage. The risk is heightened for organizations that rely heavily on SSH for remote access and system administration.

In the next 3-6 months, we anticipate an increase in automated SSH intrusion attempts targeting organizations with weak SSH configurations and exposed services. Proactive hardening and monitoring are crucial to mitigate these risks.

Appendix

[Redacted Payload Snippet - Example of injected SSH key]

Assumptions & Data Gaps

• Sensor name is unavailable.
• Exact payload data is unavailable, a redacted example is provided.
• Network port is unavailable.

References

• VirusTotal Sample

Protect your organization from emerging threats with Sentry Global Intelligence & Consulting Group. Request an Incident Readiness Review today. Gain comprehensive protection with 24/7 Monitoring with Sentry365™, or strengthen your security posture with our vCISO Advisory services.