Executive Summary

• SGI detected a suspicious file being delivered via web request which attempts to modify SSH authorized keys.
• The likely objective is to gain persistent, unauthorized remote access to systems.
• The impact is potentially widespread, affecting any system where the injected key is trusted.
• Business risk is moderate, depending on the value of accessible data and systems.

Organizations should proactively monitor for unauthorized SSH key modifications and review access controls to limit potential damage.

Observed Activity (SGI Sensors)

Our sensor detected a connection from an IP address originating from Hong Kong (ASN AS401696). The connection used TCP, and delivered a payload which our systems identified as malicious. The payload contains data to be written to a target’s .ssh/authorized_keys file, and is flagged by multiple vendors as malicious. The destination port was not specified.

Malware/Technique Overview

The observed malware family appears to be focused on injecting SSH keys into the authorized_keys file of various user accounts. This allows attackers to bypass normal authentication mechanisms and gain unauthorized access to the compromised system. The initial access vector appears to be web-based delivery, possibly exploiting vulnerabilities or misconfigurations in web applications to write the malicious content. Targets include various user home directories (e.g., postgresql, jenkins, ubuntu, root).

• T1190 – Exploit Public-Facing Application
• T1078.002 – Valid Accounts: Domain Accounts (if keys are valid across systems)
• T1556.002 – Modify Authentication Process: SSH Keys
• T1059.004 – Command and Scripting Interpreter: Unix Shell

VirusTotal Snapshot

VirusTotal analysis shows 29 out of 62 vendors detected the sample as malicious, with 33 vendors reporting it as undetected. Several aliases are associated with this sample, suggesting it is part of a broader campaign targeting various usernames.

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL

index=* sourcetype=web source=*154.219.113.XXX* | stats count by dest_user

Elastic/Kibana KQL

source.ip : "154.219.113.XXX" AND file.name : "authorized_keys"

When reviewing potential hits, consider the source IP’s reputation and the user accounts being targeted. Investigate any unusual or unexpected modifications to authorized_keys files.

Containment, Eradication & Recovery

1. Isolate affected systems from the network to prevent further spread.
2. Block the source IP (154.219.113.XXX) at the firewall.
3. Scan all systems for unauthorized SSH keys. Check especially the .ssh/authorized_keys files in user home directories, including root.
4. Reimage any severely compromised systems.
5. Reset passwords for all potentially affected user accounts.

Ensure clear communication between IT and leadership regarding the incident status and remediation efforts. Preserve all relevant logs and evidence for forensic analysis.

Hardening & Preventive Controls

1. Implement Multi-Factor Authentication (MFA) for all SSH access. (NIST CSF: PR.AC-1, CIS Control 6)
2. Tune Endpoint Detection and Response (EDR) solutions to detect unusual file modifications. (NIST CSF: DE.CM-7, CIS Control 10)
3. Implement Network Segmentation to limit the blast radius of potential compromises. (NIST CSF: PR.AC-3, CIS Control 14)
4. Enforce Least Privilege principles to limit the impact of compromised accounts. (NIST CSF: PR.AC-4, CIS Control 5)
5. Establish Patch SLAs for timely remediation of security vulnerabilities. (NIST CSF: ID.AM-2, CIS Control 7)

Business Impact & Risk Outlook

A successful SSH key injection can lead to significant operational disruption, data breaches, and reputational damage. Legal and regulatory repercussions may also arise depending on the sensitivity of the compromised data.

We anticipate an increase in attacks targeting SSH access over the next 3-6 months, with attackers leveraging various methods such as web application exploits and credential stuffing to gain unauthorized access.

Appendix

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
The document has moved <a href="/tmp/20251020-095501-70928fe444ea-1-redir__home_postgresql__ssh_authorized_keys">here</a>.
</body></html>

Assumptions & Data Gaps

• The destination port of the connection is unknown.
• The exact web application vulnerability (if any) is unknown.

References

• VirusTotal Sample

Protect your organization from sophisticated threats with Sentry Global Intelligence & Consulting Group. Request an Incident Readiness Review today. Ensure continuous protection with our 24/7 Monitoring with Sentry365™ services, and leverage our expertise with vCISO Advisory.