Compromised SSH Keys Detected: Potential for Lateral Movement
Executive Summary
- SGI has detected a file with characteristics of a rogue SSH authorized_keys file originating from a host in Bangladesh (AS18109).
- The file is flagged by multiple AV vendors as malicious and poses a risk of unauthorized access.
- The likely attacker objective is to establish persistent and covert access to systems within the target network.
- The business risk level is Moderate, with potential for data breaches and service disruptions.
Organizations should immediately audit SSH key management practices to prevent further compromise.
Observed Activity (SGI Sensors)
| ObservedAt | SensorName | SourceIP | SourceASN | SourceGeo | Protocol/Port | PayloadPresence | Hash |
|---|---|---|---|---|---|---|---|
| 2025-11-20T13:43:06.448Z | 103.86.198.XXX | AS18109 | BD | tcp/ | Yes | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 |
An SGI sensor detected a file transfer from 103.86.198.XXX (Bangladesh) containing a suspicious payload. The file’s hash was submitted to VirusTotal, where it received a high number of malicious detections. The filename suggests modification of SSH authorized_keys files, indicating a potential attempt to gain unauthorized SSH access to a server. The activity points to a possible credential compromise or vulnerability exploitation leading to the ability to write to the authorized_keys file.
Malware/Technique Overview
The observed activity is consistent with an attacker attempting to gain unauthorized access to systems by injecting malicious SSH keys. This technique allows attackers to bypass normal authentication mechanisms. Once the key is added to the authorized_keys file, the attacker can log in without needing a password. This technique is often used for lateral movement and establishing persistence.
- T1078.002 – Valid Accounts: Domain Accounts
- T1098.004 – Account Manipulation: SSH Authorized Keys
- T1021.004 – Remote Services: SSH
- T1555.004 – Credentials from Password Stores: SSH Keys
VirusTotal Snapshot
VirusTotal analysis shows 29 malicious detections out of 62 total scans, with 33 vendors reporting the file as undetected. The file is described as HTML with a size of 389 bytes. Multiple aliases suggest the same file has been observed targeting different user accounts (root, oracle, uftp, etc.).
Indicators of Compromise (IoCs)
| Type | Value | Confidence | FirstSeen | Notes |
|---|---|---|---|---|
| ip | 103.86.198.XXX | medium | 2025-11-20T13:43:06.448Z | AS18109 MAISHA NET |
| hash | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 | high | 2025-11-20T13:43:06.448Z | SHA256 from VirusTotal |
It is recommended to monitor these IoCs for at least 30 days.
Detection & Hunting
Utilize the following queries to detect potentially malicious SSH key modifications:
Splunk
index=* source=*ssh* eventtype=syslog "/.ssh/authorized_keys" AND (added OR modified)
| table _time, host, user, messageElastic/Kibana KQL
message:"/.ssh/authorized_keys" AND (message:added OR message:modified)Validate true positives by investigating the user account and source IP address. Common false positives may occur during legitimate key rotations.
Containment, Eradication & Recovery
- Isolate affected systems from the network to prevent further lateral movement.
- Block the source IP address (103.86.198.XXX) at the firewall.
- Scan all systems for unauthorized SSH key modifications, paying special attention to authorized_keys files in user home directories and the root account.
- If compromise is confirmed, consider reimaging affected systems to ensure complete eradication.
- Reset passwords for all potentially compromised accounts.
Inform relevant IT and leadership teams about the incident and the containment steps taken. Preserve all relevant logs and artifacts for forensic analysis.
Hardening & Preventive Controls
Implement the following controls to prevent similar incidents in the future:
- Multi-Factor Authentication (MFA): Enforce MFA for all SSH access (NIST CSF PR.AC-1, CIS Control 6).
- EDR Tuning: Configure Endpoint Detection and Response (EDR) systems to detect unauthorized file modifications in SSH directories (NIST CSF DE.CM-1, CIS Control 10).
- Network Segmentation: Implement network segmentation to limit the blast radius of a potential compromise (NIST CSF PR.AC-5, CIS Control 14).
- Least Privilege: Enforce the principle of least privilege for all user accounts (NIST CSF PR.AC-3, CIS Control 5).
- Patch Management: Maintain timely patch SLAs for all systems (NIST CSF PR.PT-1, CIS Control 7).
- SSH Hardening: Disable password-based authentication for SSH and only allow key-based authentication. Regularly audit and rotate SSH keys.
Business Impact & Risk Outlook
Compromised SSH keys can lead to unauthorized access to critical systems, potentially resulting in data breaches, service disruptions, and reputational damage. The legal ramifications of a data breach can be significant.
We anticipate an increase in attacks targeting SSH keys as attackers seek more efficient ways to move laterally within compromised networks over the next 3-6 months.
Appendix
[Redacted Payload Snippet]Assumptions & Data Gaps
- We assume the provided SHA256 hash accurately represents the malicious file.
- The exact content of the transferred file is not available, only the SHA256 hash.
- Network port information is missing from the observation.
References
Protect your organization from evolving threats. Request an Incident Readiness Review with SGI to assess your current security posture. Gain peace of mind with 24/7 Monitoring with Sentry365™, our managed security service. For strategic guidance and expert support, consider engaging our vCISO Advisory services.