Sentry Global Intelligence & Consulting Group Sentry Global Intelligence & Consulting Group

Compromised SSH Keys via Web-Delivered Payload

Discover fresh insights and innovative ideas by exploring our blog,  where we share creative perspectives

Discover More

Compromised SSH Keys via Web-Delivered Payload

Comments (0)
October 12, 2025
Back To Blog Page

Executive Summary

  • SGI sensors detected a potentially malicious file, identified as a compromised SSH authorized_keys file, originating from IP address 146.190.111.235.
  • The file’s content suggests an attempt to gain unauthorized access to systems by injecting public keys for various user accounts.
  • The likely objective is lateral movement and privilege escalation within targeted networks.
  • The business risk is high, potentially leading to data breaches, system compromise, and operational disruption.

Organizations should immediately review SSH key management practices and implement enhanced security controls to prevent unauthorized access.

Observed Activity (SGI Sensors)

ObservedAt SensorName SourceIP SourceASN SourceGeo Protocol/Port PayloadPresence Hash
2025-10-12T08:59:50.588Z 146.190.111.XXX AS14061 SG tcp/ Yes a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2

On October 12, 2025, SGI sensors detected a potentially malicious file originating from IP address 146.190.111.235, associated with AS14061 (DigitalOcean, LLC) in Singapore. The file was delivered via TCP, and the payload was identified as a potentially compromised SSH authorized_keys file based on its content and VirusTotal analysis. The file contains multiple entries, each attempting to inject a public key for various user accounts on a target system. This suggests an automated attempt to gain unauthorized access.

Malware/Technique Overview

The detected file is classified as a potentially compromised SSH authorized_keys file. These files are used to manage authorized SSH keys, allowing passwordless login to a system. Attackers often target these files to gain persistent and unauthorized access.

The initial access vector appears to be web-delivered, implying a successful phishing or drive-by download attack. The file’s structure suggests the attacker is attempting to inject SSH keys for multiple user accounts (e.g., root, ubuntu, ec2-user, etc.), which is indicative of a broad credential harvesting campaign. The targets are likely servers or workstations running SSH services.

  • TA0001 – Initial Access
  • T1190 – Exploit Public-Facing Application
  • T1133 – External Remote Services
  • T1078 – Valid Accounts
  • T1059 – Command and Scripting Interpreter
  • TA0006 – Credential Access
  • T1555 – Credentials from Password Stores
  • TA0008 – Lateral Movement
  • T1021 – Remote Services

VirusTotal Snapshot

VirusTotal analysis indicates that 29 vendors flagged the sample as malicious, while 33 vendors did not detect it. The file is described as HTML, suggesting it might be a redirected HTML page designed to inject the malicious content. Several aliases are associated with the file, indicating a pattern of similar attacks targeting different usernames and systems.

  • Malicious: 29
  • Undetected: 33
  • Harmless: 0

Given the high number of undetected hits, it is essential to implement proactive detection and prevention measures beyond relying solely on traditional antivirus solutions.

Indicators of Compromise (IoCs)

Type Value Confidence FirstSeen Notes
ip 146.190.111.XXX medium 2025-10-12T08:59:50.588Z AS14061 DigitalOcean, LLC
hash a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 high 2025-10-12T08:59:50.588Z SHA256 from VirusTotal

It is recommended to monitor these IoCs for at least 90 days.

Detection & Hunting

The following query can be used to identify similar activity in Splunk:

index=* source=*ssh* authorized_keys
| regex _raw="ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3}"
| stats count by _raw, src_ip

This query searches for SSH logs containing the authorized_keys file and uses a regular expression to identify potential SSH public keys. Review the results for any unexpected or unauthorized keys. Consider enriching logs with threat intelligence data to identify connections to known malicious IPs.

Containment, Eradication & Recovery

  1. Isolate Affected Systems: Immediately disconnect any systems that downloaded the malicious file from the network to prevent further spread.
  2. Block the Source IP: Add the IP address 146.190.111.235 to your firewall block list.
  3. Scan Systems for Compromised Keys: Use a security scanner to identify any systems with modified authorized_keys files.
  4. Reimage if Necessary: For systems with confirmed compromise, consider reimaging them from a trusted backup or clean installation.
  5. Reset Credentials: Reset all SSH keys and passwords for affected user accounts.

Communicate the incident to your IT team and leadership. Preserve forensic evidence (logs, affected files) for further investigation.

Hardening & Preventive Controls

  1. Multi-Factor Authentication (MFA): Implement MFA for all SSH logins (NIST CSF ID.AM-3, CIS Control 6).
  2. EDR Tuning: Configure your Endpoint Detection and Response (EDR) solution to detect suspicious file downloads and modifications to system configuration files (NIST CSF DE.CM-7, CIS Control 10).
  3. Network Segmentation: Segment your network to limit the impact of a potential breach (NIST CSF PR.AC-4, CIS Control 14).
  4. Least Privilege: Enforce the principle of least privilege, granting users only the minimum necessary permissions (NIST CSF PR.AC-3, CIS Control 5).
  5. Patch Management: Maintain a rigorous patch management process with defined SLAs for critical vulnerabilities (NIST CSF ID.SC-2, CIS Control 7).
  6. Disable Password Authentication: Disable password authentication for SSH and rely solely on SSH keys.

Business Impact & Risk Outlook

A successful SSH key compromise can lead to significant operational disruption, data breaches, and reputational damage. The ability to remotely access systems without proper authorization can provide attackers with a foothold to escalate privileges, move laterally within the network, and exfiltrate sensitive data.

In the next 3-6 months, we anticipate an increase in automated SSH key harvesting campaigns targeting cloud infrastructure and exposed services. Organizations must proactively strengthen their SSH key management practices and implement robust detection mechanisms.

Appendix

Redacted payload snippet:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClK..... user1@example.com
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2Q..... user2@example.com
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9R..... root@localhost

Assumptions & Data Gaps:

  • Sensor name is missing.
  • Port is missing.

References:

Protect your organization from emerging threats. Request an Incident Readiness Review to assess your security posture and identify vulnerabilities. Ensure continuous protection with 24/7 Monitoring with Sentry365™. For strategic security guidance, consider our vCISO Advisory services.

Leave A Comment

Categories

Recent Posts

No labels available

Observed Network Activity: Potential Redirection Exploit

No labels available

Potential SSH Key Compromise via Malicious Redirect

No labels available

Observed Activity: Suspicious JavaScript Framework Detection

Tags

Cleaning Services critical infrastructures cybersecurity Desimo Enterprises Engineering Systems IT malware attacks OT security services security sevices Sentry Global Intelligence Stay Frosty

Create your account