Executive Summary

• SGI detected a suspicious ‘authorized_keys’ file originating from IP address 185.46.18.99 (Russia).
• The malicious file contains redirections targeting various usernames’ home directories, potentially allowing unauthorized SSH access.
• The likely objective is to gain unauthorized remote access to compromised systems.
• Business risk is assessed as low due to the need for existing vulnerabilities to be exploited.

Organizations should review SSH key management practices and monitor for unauthorized access attempts.

Observed Activity (SGI Sensors)

An SGI sensor detected a connection from IP address 185.46.18.99, associated with ASN AS199782 (Teletime Ltd.) in Russia. The connection contained a payload resembling an SSH ‘authorized_keys’ file. Analysis revealed that the file contains redirection commands targeting various user home directories. This suggests an attempt to inject malicious SSH keys into compromised systems by exploiting existing vulnerabilities or misconfigurations.

Malware/Technique Overview

The detected activity involves the deployment of a malicious ‘authorized_keys’ file designed to grant unauthorized SSH access. The file achieves this by redirecting legitimate SSH key lookups to attacker-controlled keys, likely hosted on a remote server. This allows the attacker to bypass normal authentication procedures if the target system attempts to use the injected ‘authorized_keys’ file.

The initial access vector is assumed to be either compromised credentials or an existing vulnerability that allows the attacker to write to the target system’s file system.

• T1078.002 – Valid Accounts: Domain Accounts
• T1190 – Exploit Public-Facing Application
• T1556.002 – Modify Authentication Process: SSH Keys
• T1059.004 – Command and Scripting Interpreter: Unix Shell

VirusTotal Snapshot

VirusTotal analysis shows that 24 vendors flagged the sample as malicious, while 29 vendors did not detect it. The file is identified as HTML, likely containing the malicious SSH key redirection code. Some notable aliases include variations of ‘authorized_keys’ and paths indicative of attempted home directory redirection for various users (e.g., ‘redir__home_ubuntu__ssh_authorized_keys’).

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL

index=* source=*ssh* "authorized_keys" AND 185.46.18.0/24
| table _time, host, source, _raw

This query searches for SSH logs containing ‘authorized_keys’ and originating from the 185.46.18.0/24 subnet. Validate that hits correlate with unauthorized key additions, and filter out legitimate key management activities.

Elastic/Kibana KQL

(source.ip : "185.46.18.0/24") AND (file.name : "authorized_keys")

This query searches for network connections from the suspect IP range where the filename contains “authorized_keys”. Be sure to check the surrounding logs for context to avoid false positives.

Containment, Eradication & Recovery

1. Isolate affected systems: Immediately disconnect any systems showing signs of compromise from the network to prevent further spread.
2. Block malicious IP: Add 185.46.18.99 to your firewall blocklist to prevent further communication.
3. Scan systems for unauthorized keys: Use a host-based scanner to identify any unauthorized ‘authorized_keys’ files, especially those matching the provided hash or containing suspicious redirections.
4. Reset compromised credentials: Force password resets for any user accounts potentially affected by the compromised SSH keys.
5. Reimage if necessary: If the level of compromise is uncertain, consider reimaging affected systems from a known good backup.

Ensure clear communication between IT and leadership throughout this process.

Preserve any forensic evidence (logs, disk images) for further investigation.

Hardening & Preventive Controls

• Implement Multi-Factor Authentication (MFA) (NIST CSF PR.AC-1, CIS Control 6): Enforce MFA for all SSH logins to mitigate the risk of compromised keys.
• Harden SSH configuration (CIS Control 5): Disable password authentication, use key-based authentication, and restrict SSH access to authorized networks.
• Implement regular SSH key rotation (NIST CSF PR.AC-4): Regularly rotate SSH keys and audit authorized keys files.
• Network Segmentation (NIST CSF PR.AC-4, CIS Control 14): Implement network segmentation to limit the blast radius of a potential compromise.
• Endpoint Detection and Response (EDR) tuning (NIST CSF DE.CM-1, CIS Control 10): Tune EDR rules to detect suspicious file modifications in user home directories.

Business Impact & Risk Outlook

A successful SSH key compromise can lead to significant operational disruptions, data breaches, and reputational damage. Attackers can gain unauthorized access to critical systems, steal sensitive data, or launch further attacks within the network.

We anticipate an increase in SSH key compromise attempts in the coming months, targeting organizations with weak SSH key management practices.

Appendix

Redacted Payload Snippet:

...redir__home_alex__ssh_authorized_keys...

Assumptions & Data Gaps:

• The full payload of the ‘authorized_keys’ file was not available, preventing full analysis of the redirection targets.
• The specific vulnerability or method used to inject the malicious file is unknown.
• The target systems and organizations are unknown.
• The network port used by the attacker is not available.

References:

• VirusTotal Sample

Protect your organization from emerging threats with Sentry Global Intelligence & Consulting Group. Our expert team provides proactive security solutions tailored to your unique needs. Request an Incident Readiness Review today. Benefit from continuous threat detection with our 24/7 Monitoring with Sentry365™. For strategic security leadership, explore our vCISO Advisory services.