Emerging Threat: SSH Authorized Key Injection via Compromised Servers
Executive Summary
- SGI has detected a potential SSH authorized key injection attempt originating from a compromised server.
- The primary risk is unauthorized access to systems via backdoored SSH keys.
- The likely objective is lateral movement and data exfiltration.
- Business risk level is currently assessed as low, but can escalate quickly if successful.
Organizations should immediately review SSH key management practices and monitor for unauthorized key modifications to prevent potential breaches.
Observed Activity (SGI Sensors)
| ObservedAt | SensorName | SourceIP | SourceASN | SourceGeo | Protocol/Port | PayloadPresence | Hash |
|---|---|---|---|---|---|---|---|
| 2025-10-28T08:59:45.732Z | 103.146.52.XXX | AS138152 | US | tcp/ | Yes | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 |
On October 28, 2025, SGI sensors detected suspicious network activity originating from IP address 103.146.52.XXX, associated with ASN AS138152 (YISU CLOUD LTD) in Los Angeles, California. The traffic, using TCP, included a payload identified as a potential SSH authorized key injection attempt. The observed activity suggests a compromised host attempting to propagate unauthorized SSH access.
Malware/Technique Overview
The detected malware family is identified as “20251026-191001-c013114f4133-1-redir__home_plex__ssh_authorized_keys”. This malware family appears to be designed to inject malicious SSH keys into the authorized_keys file of various user accounts. This would grant attackers persistent and unauthorized SSH access to compromised systems, enabling lateral movement and potentially data exfiltration. The initial access vector likely involves exploiting vulnerabilities in exposed services or compromised credentials.
- T1190 – Exploit Public-Facing Application (if applicable based on initial access)
- T1078 – Valid Accounts
- T1059.004 – Command and Scripting Interpreter: Unix Shell
- T1098.004 – Account Manipulation: SSH Authorized Keys
- T1555.003 – Credentials from Password Stores: Credentials in Files
VirusTotal Snapshot
VirusTotal analysis indicates that 29 out of 57 vendors flagged the sample as malicious, while 28 vendors did not detect it. This suggests that the threat is relatively new or uses techniques to evade detection. Some notable aliases include variations targeting different usernames and directories.
Indicators of Compromise (IoCs)
| Type | Value | Confidence | FirstSeen | Notes |
|---|---|---|---|---|
| IP | 103.146.52.XXX | Medium | 2025-10-28T08:59:45.732Z | AS138152 YISU CLOUD LTD |
| Hash | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 | High | 2025-10-28T08:59:45.732Z | SHA256 from VirusTotal |
It is recommended to monitor these IoCs for at least 30 days.
Detection & Hunting
Splunk SPL
index=* sourcetype=network_traffic dest_ip=103.146.52.XXX
| table _time, src_ip, dest_port, eval("Possible SSH authorized key injection detected from " . src_ip) as description
This query searches for network traffic to the suspect IP address. Review the traffic patterns and associated logs to determine the nature of the connection and identify potential compromised systems. Be aware of common network traffic patterns from cloud providers to avoid false positives.
Containment, Eradication & Recovery
- Isolate: Immediately isolate any systems communicating with the identified malicious IP address from the network to prevent further propagation.
- Block: Block the malicious IP address (103.146.52.XXX) at the firewall level to prevent further communication.
- Scan: Perform a thorough scan of all systems for unauthorized SSH keys and other signs of compromise.
- Reimage: If systems are confirmed to be compromised, reimage them from a known good backup or image.
- Reset Credentials: Reset all user account passwords, especially those that may have been compromised.
Ensure that all actions are communicated effectively to IT staff and organizational leadership. Preserve evidence for potential forensic analysis.
Hardening & Preventive Controls
- Multi-Factor Authentication (MFA): Implement MFA for all SSH access to prevent unauthorized logins (NIST CSF PR.AC-1, CIS Control 6).
- Endpoint Detection and Response (EDR): Tune EDR solutions to detect suspicious SSH key modifications and network traffic (NIST CSF DE.CM-1, CIS Control 10).
- Network Segmentation: Implement network segmentation to limit the potential impact of a compromised system (NIST CSF PR.DS-5, CIS Control 14).
- Least Privilege: Enforce the principle of least privilege to limit the access rights of user accounts (NIST CSF PR.AC-3, CIS Control 5).
- Patch Management: Maintain strict patch SLAs for all systems, especially those exposed to the internet (NIST CSF ID.AM-4, CIS Control 7).
- SSH Hardening: Disable password authentication for SSH and only allow key-based authentication. Regularly review and rotate SSH keys (CIS Control 8).
Business Impact & Risk Outlook
A successful SSH key injection attack can lead to significant operational disruption, data breaches, and reputational damage. Legal and regulatory ramifications may also arise from data breaches. We anticipate that attackers will continue to target SSH access as a means of lateral movement. Organizations should proactively strengthen their SSH security posture.
Appendix
Assumptions & Data Gaps
- We assume that the provided data is representative of a broader attack campaign.
- Sensor name and network port are missing.
- The full payload is not available for analysis.
References
Concerned about your organization’s risk posture? SGI can help. Request an Incident Readiness Review to identify vulnerabilities and improve your defenses. Ensure continuous protection with 24/7 Monitoring with Sentry365™. For strategic security guidance, consider our vCISO Advisory services.