Observed SSH Authorized Keys Modification Attempt from South Korea
Executive Summary
- SGI sensors detected an attempt to modify SSH authorized keys on a monitored system.
- The activity originated from IP address 210.183.21.53, located in South Korea.
- The likely objective is to gain unauthorized remote access to the targeted system.
- The business risk is moderate, potentially leading to data breach, system compromise, or service disruption.
Organizations should immediately review SSH access controls and monitor for suspicious activity to prevent unauthorized access.
Observed Activity (SGI Sensors)
| ObservedAt | SensorName | SourceIP | SourceASN | SourceGeo | Protocol/Port | PayloadPresence | Hash |
|---|---|---|---|---|---|---|---|
| 2025-09-29T07:58:27.844Z | 210.183.21.XXX | AS4766 | KR | tcp/ | Yes | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 |
On September 29, 2025, at 07:58:27 UTC, SGI sensors detected a suspicious network connection originating from IP address 210.183.21.53 (AS4766, Korea Telecom) in South Korea. The connection used TCP, and a payload was present. The payload’s SHA256 hash is a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2, which VirusTotal identifies as related to SSH authorized keys modification attempts. This suggests a potential intrusion attempt to gain unauthorized access to the system.
Malware/Technique Overview
The observed activity is classified under the malware family ‘20250928-201502-284b68940f03-1-redir__home_rke__ssh_authorized_keys’. This family is associated with attempts to modify the authorized_keys file in various user home directories (e.g., root, user1, odoo). The typical objective is to establish unauthorized SSH access by adding attacker-controlled public keys to the authorized keys file.
- MITRE ATT&CK: T1133 – External Remote Services
- MITRE ATT&CK: T1078 – Valid Accounts
- MITRE ATT&CK: T1556 – Modify Authentication Process
- MITRE ATT&CK: T1098 – Account Manipulation
VirusTotal Snapshot
VirusTotal analysis of the file (SHA256: a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) shows that 28 vendors flagged it as malicious, while 33 vendors did not detect it. The file is described as ‘HTML’ and is associated with multiple aliases related to authorized_keys modification attempts.
Indicators of Compromise (IoCs)
| Type | Value | Confidence | FirstSeen | Notes |
|---|---|---|---|---|
| ip | 210.183.21.XXX | medium | 2025-09-29T07:58:27.844Z | AS4766 Korea Telecom |
| hash | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 | high | 2025-09-29T07:58:27.844Z | SHA256 from VirusTotal |
It is recommended to monitor these IoCs for at least 30 days.
Detection & Hunting
Splunk SPL
sourcetype=*network* OR index=*network* 210.183.21.0/24 AND a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2
| table _time, src_ip, dest_ip, user, file_hashThis query searches for network connections to or from the identified IP range (210.183.21.0/24) and containing the identified SHA256 hash. False positives might include legitimate traffic to/from Korea Telecom. Validate the user context and file activity.
Containment, Eradication & Recovery
- Isolate the affected system from the network to prevent further compromise.
- Block the identified malicious IP address (210.183.21.53) at the firewall.
- Scan the affected system with an updated antivirus solution.
- Review SSH authorized keys files for unauthorized entries (
~/.ssh/authorized_keysfor each user, including root). Remove any suspicious or unknown public keys. - Reset the passwords for all user accounts on the affected system.
- If compromise is confirmed, consider reimaging the system from a known good backup.
Inform IT and leadership about the incident and remediation steps. Preserve system logs and network traffic for forensic analysis.
Hardening & Preventive Controls
- Implement Multi-Factor Authentication (MFA) for all SSH access. (NIST CSF: PR.AC-1, CIS Control 6)
- Regularly review and audit SSH keys. Remove unnecessary or outdated keys. (NIST CSF: PR.AC-3, CIS Control 5)
- Disable password-based SSH authentication and rely on key-based authentication. (NIST CSF: PR.AC-3, CIS Control 5)
- Update and patch systems regularly, especially those exposed to the internet. (NIST CSF: PR.PT-1, CIS Control 7)
- Implement network segmentation to limit the impact of a potential breach. (NIST CSF: PR.DS-5, CIS Control 14)
- Use strong passwords and enforce password complexity policies. (NIST CSF: PR.AC-3, CIS Control 5)
Business Impact & Risk Outlook
A successful SSH key modification attack can lead to unauthorized access to critical systems, potentially resulting in data breaches, service disruptions, and reputational damage. Legal and compliance ramifications may arise if sensitive data is compromised. In the next 3-6 months, we anticipate an increase in SSH-related attacks, particularly targeting organizations with weak SSH access controls and exposed services. Organizations should proactively strengthen their SSH security posture to mitigate this growing risk.
Appendix
#Potentially malicious authorized_keys entry
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCq...[redacted]... user@attacker.example.com
Assumptions & Data Gaps
- We assume the payload is related to unauthorized SSH key modifications based on the VirusTotal results and file name analysis.
- Port information is missing from the initial report, but TCP is specified as protocol.
- Exact target user and system are unknown.
References
Concerned about your organization’s incident readiness? Request an Incident Readiness Review from SGI. Ensure continuous protection with 24/7 Monitoring with Sentry365™, or gain expert strategic guidance with our vCISO Advisory services. SGI is here to help you navigate the evolving threat landscape.