Executive Summary

• SGI sensors detected malicious activity originating from an IP address in Indonesia (103.139.193.37).
• The activity is consistent with automated attempts to inject unauthorized SSH keys into compromised systems.
• The likely objective is to gain persistent, unauthorized access to target systems.
• The business risk level is moderate, potentially leading to data breaches, system compromise, and operational disruption.

Organizations should implement robust SSH security measures and monitor for suspicious login activity to mitigate the risk of unauthorized access.

Observed Activity (SGI Sensors)

On November 19, 2025, SGI sensors detected suspicious network activity originating from 103.139.193.37, an IP address associated with AS136052 (PT Cloud Hosting Indonesia) in West Java, Indonesia. The observed TCP connection included a payload identified as a potentially malicious HTML file. Analysis of the file’s hash (a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) indicates it is associated with SSH authorized key injection attempts.

Malware/Technique Overview

The observed activity involves an attempt to inject SSH authorized keys into target systems. This technique allows attackers to gain persistent, passwordless access to compromised servers. The attacker likely gained initial access via brute-force or credential stuffing attacks. By adding their public key to the authorized_keys file of a user (e.g., root, ubuntu, etc.) they can log in without needing a password.

• MITRE ATT&CK: T1190 – Exploit Public-Facing Application
• MITRE ATT&CK: T1110.001 – Password Guessing: Password Spraying
• MITRE ATT&CK: T1078 – Valid Accounts
• MITRE ATT&CK: T1555.004 – Credentials from Password Stores: SSH Keys
• MITRE ATT&CK: T1059.004 – Command and Scripting Interpreter: Unix Shell
• MITRE ATT&CK: T1098.004 – Account Manipulation: SSH Keys

VirusTotal Snapshot

VirusTotal analysis of the identified hash (a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) shows a concerning number of malicious detections. 29 engines flagged the sample as malicious, while 33 engines did not detect it. The sample is identified as HTML. Multiple aliases suggest a pattern of attempted SSH key injection targeting various usernames.

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL

index=* src_ip=103.139.193.0/24  | stats count by dest_ip, user | where count > 5

This query searches for connections from the identified IP range, grouping by destination IP and username to identify potential brute-force attempts. Validate that the username is legitimate and the connections are expected. High connection counts to unusual internal destinations may indicate compromise.

Elastic/Kibana KQL

source.ip : 103.139.193.0/24

This query will search all logs for the presence of the malicious IP range. Filter by successful SSH logins following the initial connection to look for successful key injection.

Containment, Eradication & Recovery

1. Isolate: Immediately isolate any affected systems from the network to prevent further lateral movement.
2. Block: Block network traffic to and from the identified malicious IP address (103.139.193.37) at the firewall.
3. Scan: Perform a thorough malware scan on all systems, focusing on SSH authorized_keys files.
4. Reimage: If a system is confirmed to be compromised, reimage it from a known-good backup or clean installation.
5. Reset Credentials: Reset passwords for all accounts that may have been compromised, and enforce strong password policies.

Notify IT and leadership of the event to allow for internal and external communication plans to be enacted. Preserve system logs and network traffic data for forensic analysis.

Hardening & Preventive Controls

1. Multi-Factor Authentication (MFA) (NIST CSF PR.AC-1, CIS Control 6): Enforce MFA for all SSH logins to prevent unauthorized access, even with compromised credentials.
2. Intrusion Detection/Prevention System (IDS/IPS) (NIST CSF DE.CM-7, CIS Control 9): Deploy and properly configure an IDS/IPS to detect and block suspicious network activity, including brute-force attempts and unauthorized SSH key injection.
3. Network Segmentation (NIST CSF PR.AC-4, CIS Control 14): Segment the network to limit the potential impact of a compromise.
4. Least Privilege (NIST CSF PR.AC-3, CIS Control 5): Grant users only the minimum necessary privileges to perform their job functions.
5. Regular Patching (NIST CSF PR.AM-2, CIS Control 7): Establish and enforce SLAs for patching systems and software to address known vulnerabilities.
6. Disable Password Authentication: Disable password-based authentication for SSH and rely exclusively on key-based authentication.

Business Impact & Risk Outlook

A successful SSH key injection attack can lead to significant operational disruption, data breaches, and reputational damage. Legal and regulatory compliance may be impacted if sensitive data is exposed. We anticipate an increase in automated SSH key injection attempts targeting publicly accessible systems in the next 3-6 months. Organizations should proactively strengthen their SSH security posture to mitigate this risk.

Appendix

Assumptions & Data Gaps

• We assume the payload is an attempt to inject an SSH key, though full payload analysis was not performed.
• The specific target of the attack is unknown.
• Sensor name and network port information were not provided.

References

• VirusTotal Sample

Protect your organization from evolving cyber threats. Request an Incident Readiness Review today to assess your security posture. Ensure continuous protection with 24/7 Monitoring with Sentry365™, and leverage our expertise with vCISO Advisory services.