Sentry Global Intelligence & Consulting Group Sentry Global Intelligence & Consulting Group

Compromised SSH Keys Detected: Potential Network Backdoor

Discover fresh insights and innovative ideas by exploring our blog,  where we share creative perspectives

Discover More

Compromised SSH Keys Detected: Potential Network Backdoor

Comments (0)
September 28, 2025
Back To Blog Page

Executive Summary

  • SGI detected a malicious file identified as a potentially compromised SSH authorized_keys file.
  • The file originates from an IP address in Singapore (43.156.246.194) and is associated with ASN AS132203.
  • The likely objective is to gain unauthorized remote access to systems via SSH.
  • The business risk level is high, as successful exploitation could lead to data breaches, system compromise, and operational disruption.

Organizations should immediately investigate potentially compromised SSH keys and implement stronger access controls to prevent unauthorized access.

Observed Activity (SGI Sensors)

ObservedAt SensorName SourceIP SourceASN SourceGeo Protocol/Port PayloadPresence Hash
2025-09-28T09:00:01.764Z 43.156.246.XXX AS132203 SG tcp/ Yes a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2

SGI sensors detected a suspicious connection from 43.156.246.194, originating from Singapore. The traffic contained a payload identified as a potentially malicious SSH authorized_keys file. This activity suggests a possible attempt to install a backdoor for unauthorized SSH access to systems. The file hash was flagged by multiple vendors on VirusTotal as malicious.

Malware/Technique Overview

The detected file is identified as a potentially compromised SSH authorized_keys file. This file, when placed in a user’s .ssh directory, allows passwordless SSH access for users holding the corresponding private key. Attackers often target these files to establish persistent and stealthy access to compromised systems.

The initial access vector appears to be opportunistic scanning and attempted compromise of SSH services. Successful deployment of this malicious authorized_keys file would grant the attacker persistent access, bypassing normal authentication mechanisms. The aliases observed on VirusTotal suggest multiple targets are being actively attacked.

  • T1190 – Exploit Public-Facing Application
  • T1078.002 – Valid Accounts: Domain Accounts
  • T1098.004 – Account Manipulation: SSH Authorized Keys
  • T1059.004 – Command and Scripting Interpreter: Unix Shell
  • T1556.004 – Credentials from Password Stores: SSH Keys

VirusTotal Snapshot

VirusTotal analysis shows a high number of malicious detections (29) out of total vendors, while 33 vendors did not detect the file. Several vendors have flagged the file as malicious. The file is described as HTML with size 389 bytes.

Indicators of Compromise (IoCs)

Type Value Confidence FirstSeen Notes
ip 43.156.246.XXX medium 2025-09-28T09:00:01.764Z AS132203 Tencent Building, Kejizhongyi Avenue
hash a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 high 2025-09-28T09:00:01.764Z SHA256 from VirusTotal

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

The following queries can be used to detect similar activity:

Splunk SPL

index=* (source=ssh OR sourcetype=ssh) "ssh_authorized_keys" OR "authorized_keys" OR a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2
| table _time, host, source, eventtype, _raw

Elastic/Kibana KQL

(source:ssh OR sourcetype:ssh) AND ("ssh_authorized_keys" OR "authorized_keys" OR a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2)

When validating, prioritize alerts where the authorized_keys file is being modified or created in unusual locations or by unusual processes. False positives may include legitimate administrative scripts or software deployments that manage SSH keys.

Containment, Eradication & Recovery

  1. Isolate Affected Systems: Immediately disconnect any systems suspected of compromise from the network to prevent further spread.
  2. Block Malicious IP: Block traffic to and from the identified malicious IP address (43.156.246.194) at the firewall.
  3. Scan for Compromised Keys: Scan all systems for unauthorized modifications to authorized_keys files. Focus on the .ssh directories of user accounts and the root account.
  4. Reimage if Necessary: For systems with confirmed compromise, consider reimaging from a known good backup or clean installation.
  5. Reset Credentials: Reset passwords for all user accounts on affected systems, and consider enforcing password resets across the domain.

Inform IT and leadership about the incident and the containment steps being taken. Ensure that evidence is preserved for forensic analysis.

Hardening & Preventive Controls

  • Multi-Factor Authentication (MFA): Implement MFA for all SSH access to add an extra layer of security (NIST CSF: PR.AC-1, CIS Control 6).
  • EDR Tuning: Fine-tune Endpoint Detection and Response (EDR) systems to detect unusual file modifications, especially in SSH configuration directories (NIST CSF: DE.CM-1, CIS Control 10).
  • Network Segmentation: Segment the network to limit the impact of a potential breach (NIST CSF: PR.AC-4, CIS Control 14).
  • Least Privilege: Enforce the principle of least privilege, ensuring users only have the necessary access rights (NIST CSF: PR.AC-3, CIS Control 5).
  • Patch Management: Maintain a strict patch management schedule to address vulnerabilities in SSH and other software (NIST CSF: PR.MA-1, CIS Control 7).
  • Disable Password Authentication: Disable password authentication for SSH and rely solely on key-based authentication.
  • Regularly Audit SSH Keys: Conduct regular audits of SSH authorized keys to identify and remove any unauthorized or orphaned keys.

Business Impact & Risk Outlook

A successful compromise via SSH keys can lead to significant operational disruption, data breaches, and reputational damage. Legal and regulatory consequences may arise if sensitive data is accessed.

We anticipate an increase in SSH-based attacks over the next 3-6 months, as attackers seek to exploit vulnerabilities in remote access configurations. Organizations need to strengthen their SSH security posture proactively to mitigate this growing threat.

Appendix

Redacted Payload Snippet:

-----BEGIN SSH2 PUBLIC KEY-----
AAAAB3NzaC1yc2EAAAADAQABAAABAQC+.....REDACTED.....
-----END SSH2 PUBLIC KEY-----

Assumptions & Data Gaps:

  • We assume the payload is intended for malicious purposes based on VirusTotal results.
  • SensorName is missing from the provided data.
  • The specific port used for the connection is unknown.
  • The targeted usernames/systems are unknown.

References:

Protect your organization from emerging threats with Sentry Global Intelligence & Consulting Group. Our expert team provides comprehensive security solutions tailored to your specific needs. Request an Incident Readiness Review to assess your current security posture. Benefit from 24/7 Monitoring with Sentry365™ for proactive threat detection and response. Get strategic guidance from our experienced vCISO Advisory services. Contact us today to learn more.

Leave A Comment

Categories

Recent Posts

No labels available

Observed Network Activity: Potential Redirection Exploit

No labels available

Potential SSH Key Compromise via Malicious Redirect

No labels available

Observed Activity: Suspicious JavaScript Framework Detection

Tags

Cleaning Services critical infrastructures cybersecurity Desimo Enterprises Engineering Systems IT malware attacks OT security services security sevices Sentry Global Intelligence Stay Frosty

Create your account