Emerging Threat: SSH Unauthorized Key Injection via Compromised Servers
Executive Summary
- SGI observed malicious activity indicative of SSH key injection attempts originating from IP address 103.123.168.58.
- The targeted systems appear to be attempting to inject unauthorized SSH keys into various user home directories, including root, plex, ql, anchhet, ashish, gamma, learn, tmax, cris, postgresql, jenkins, alex, auditor, uos, water, and ftpuser.
- The likely objective is to gain unauthorized remote access to compromised systems.
- The business risk level is assessed as Medium, given the potential for data breaches and system compromise.
Organizations should proactively monitor SSH logs, implement multi-factor authentication, and restrict SSH access to trusted networks to mitigate the risk of unauthorized access.
Observed Activity (SGI Sensors)
| ObservedAt | SensorName | SourceIP | SourceASN | SourceGeo | Protocol/Port | PayloadPresence | Hash |
|---|---|---|---|---|---|---|---|
| 2025-10-31T08:59:23.385Z | 103.123.168.XXX | AS138346 | BD | tcp/ | Yes | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 |
SGI sensors detected suspicious network traffic originating from IP address 103.123.168.58, associated with ASN AS138346 in Bangladesh. The traffic appears to be attempting to inject unauthorized SSH keys into the authorized_keys file of various user accounts. The observed activity suggests a potential automated attack targeting multiple user accounts on the same or different systems.
Malware/Technique Overview
The observed malware family is identified as 20251030-161438-51b447a0c250-1-redir__root__ssh_authorized_keys, indicating an attempt to inject unauthorized SSH keys, specifically targeting the root user’s authorized_keys file. This family name pattern is also being used to target other user accounts.
The initial access vector is likely achieved through compromised servers that are then used to spread the malicious SSH keys. The targets include a broad range of user accounts, suggesting an opportunistic approach.
- T1190 – Exploit Public-Facing Application
- T1078 – Valid Accounts
- T1059 – Command and Scripting Interpreter
- T1098.004 – Account Manipulation: SSH Authorized Keys
VirusTotal Snapshot
VirusTotal analysis indicates a malicious detection ratio of 29/62. There were 33 undetected hits.
Some vendors identified the sample as malicious, indicating that the injected keys are being recognized as a threat.
Indicators of Compromise (IoCs)
| Type | Value | Confidence | FirstSeen | Notes |
|---|---|---|---|---|
| ip | 103.123.168.XXX | medium | 2025-10-31T08:59:23.385Z | AS138346 Sajid Trading Ltd. |
| hash | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 | high | 2025-10-31T08:59:23.385Z | SHA256 from VirusTotal |
It is recommended to monitor these IoCs for at least 30 days.
Detection & Hunting
Splunk SPL
index=* src_ip=103.123.168.0/24 dest_port=22
| regex _raw="'ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3}'"
| table _time, src_ip, dest_ip, _rawThis query searches for SSH connections from the identified IP range and extracts the raw event data to identify potential SSH key injection attempts. Validate that the extracted key isn’t authorized.
Containment, Eradication & Recovery
- Isolate affected systems from the network to prevent further propagation.
- Block the malicious IP address (103.123.168.58) at the firewall level.
- Scan systems for unauthorized SSH keys in
authorized_keysfiles. - Reimage compromised systems from a known good backup.
- Reset credentials for all affected user accounts.
Ensure that IT and leadership are promptly informed of the incident. Preserve all relevant logs and artifacts for forensic analysis.
Hardening & Preventive Controls
- Implement Multi-Factor Authentication (MFA): Enforce MFA for all SSH access to prevent unauthorized logins (NIST CSF: PR.AC-1, CIS Control 6).
- Tune Endpoint Detection and Response (EDR): Configure EDR solutions to detect and block SSH key injection attempts (NIST CSF: DE.CM-7, CIS Control 10).
- Network Segmentation: Segment the network to limit the blast radius of potential breaches (NIST CSF: PR.AC-5, CIS Control 14).
- Principle of Least Privilege: Grant users only the necessary privileges to perform their tasks (NIST CSF: PR.AC-3, CIS Control 5).
- Patch Management: Maintain SLAs for patching systems (NIST CSF: PR.PT-1, CIS Control 7).
- Restrict SSH Access: Limit SSH access to trusted networks or specific IP addresses.
Business Impact & Risk Outlook
The potential business impact includes operational disruption, data breaches, legal liabilities, and reputational damage. Unauthorized access can lead to the exfiltration of sensitive data or the deployment of ransomware.
We anticipate an increase in automated SSH key injection attacks targeting a broader range of organizations over the next 3-6 months. Threat actors will likely continue to refine their techniques to evade detection.
Appendix
Redacted Payload Snippet:
-----BEGIN SSH2 PUBLIC KEY-----
AAAAB3NzaC1yc2EAAAADAQABAAABAQCyrDYyD...[redacted]...
-----END SSH2 PUBLIC KEY-----Assumptions & Data Gaps:
- Sensor name is unavailable.
- Specific TTPs beyond key injection are unknown.
References:
Protect your organization from emerging threats with Sentry Global Intelligence & Consulting Group. Request an Incident Readiness Review to assess your security posture. Benefit from 24/7 Monitoring with Sentry365™. Get expert guidance with our vCISO Advisory.