Executive Summary

• SGI detected a suspicious IP address (54.38.52.18) injecting potentially malicious SSH authorized keys into a system.
• Impacted systems could grant unauthorized remote access to attackers, bypassing normal authentication mechanisms.
• The likely objective is to establish persistent, covert access for data exfiltration, lateral movement, or system compromise.
• Business risk is moderate to high, depending on the value of the compromised system and its network access.

Organizations should proactively monitor SSH key activity and implement multi-factor authentication to mitigate future risks.

Observed Activity (SGI Sensors)

At 2025-10-11T07:02:40.730Z, an SGI sensor detected traffic originating from IP address 54.38.52.18 (ASN AS16276, Poland). The traffic contained a payload with a hash (SHA256: a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) identified by VirusTotal as potentially malicious, specifically related to modification of SSH authorized keys. No specific port was identified. The sensor name is missing.

Malware/Technique Overview

The observed activity suggests an attempt to inject unauthorized SSH keys into the authorized_keys file of a user account. Successful injection grants the attacker passwordless SSH access to the targeted system. The malware family is named ‘20251011-032359-8b62384ab05d-1-redir__home_lab__ssh_authorized_keys’.

The initial access vector is assumed to be a compromised service or vulnerability allowing remote file modification. Targets are likely Linux/Unix systems with SSH enabled.

• MITRE ATT&CK: T1133 – External Remote Services
• MITRE ATT&CK: T1098 – Account Manipulation
• MITRE ATT&CK: T1555 – Credentials from Password Stores

VirusTotal Snapshot

VirusTotal analysis shows 29 malicious detections out of 62 total scans, with 33 engines reporting the file as undetected and 0 reporting it as harmless. Aliases include variants related to different usernames and paths to the .ssh/authorized_keys file. The file type is detected as HTML. Reputation score is -34.

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL

index=* sourcetype=network_traffic src_ip=54.38.52.0/24 
| regex _raw="ssh-rsa AAAA[0-9A-Za-z+/=]+" 
| table _time, src_ip, dest_ip, _raw

This query searches network traffic for SSH-related traffic originating from the suspect IP range and containing potentially injected RSA public keys. Validate results by checking for unexpected SSH key additions in user authorized_keys files.

Elastic/Kibana KQL

source.ip : 54.38.52.0/24 AND message : "ssh-rsa AAAA*"

This KQL query searches for logs where the source IP is in the suspect range and the message contains an SSH RSA public key. False positives may include legitimate SSH key exchanges; investigate further.

Containment, Eradication & Recovery

1. Isolate Affected Systems: Disconnect any potentially compromised systems from the network to prevent lateral movement.
2. Block Malicious IP: Add 54.38.52.18 to your firewall blocklist to prevent further communication.
3. Scan for Unauthorized Keys: Scan all systems for unauthorized modifications to ~/.ssh/authorized_keys files.
4. Reimage Compromised Systems: If unauthorized keys are found, reimage the affected systems from a known good backup.
5. Reset Credentials: Reset passwords for all user accounts on compromised systems.

Ensure that IT and leadership are informed of the incident and the recovery plan. Preserve system logs and any identified malicious files for forensic analysis.

Hardening & Preventive Controls

1. Implement Multi-Factor Authentication (MFA): Enforce MFA for all SSH access (NIST CSF PR.AC-1, CIS Control 6).
2. Regularly Review SSH Keys: Schedule periodic audits of authorized SSH keys to identify and remove any unauthorized entries (NIST CSF DE.CM-7, CIS Control 5).
3. Network Segmentation: Segment the network to limit the impact of a compromised system (NIST CSF PR.AC-4, CIS Control 14).
4. Principle of Least Privilege: Ensure users have only the necessary privileges (NIST CSF PR.AC-3, CIS Control 4).
5. Patch Management SLAs: Establish and enforce SLAs for patching vulnerabilities in SSH and other critical services (NIST CSF ID.AM-4, CIS Control 7).

Business Impact & Risk Outlook

A successful SSH key compromise can lead to significant operational disruption, data breaches, and reputational damage. Legal and regulatory compliance may also be affected depending on the data accessed. We anticipate an increase in automated attacks targeting SSH services in the next 3-6 months, emphasizing the importance of proactive security measures.

Appendix

Assumptions & Data Gaps:

• The specific port used in the attack is unknown.
• The initial access vector used by the attacker is unknown.
• The payload sample is not available.
• Sensor name is missing.

References:

• VirusTotal Sample

SGI recommends a comprehensive security assessment to identify and address vulnerabilities in your environment. Request an Incident Readiness Review to evaluate your security posture. Ensure continuous protection with 24/7 Monitoring with Sentry365™, and leverage our expertise with vCISO Advisory services.