Executive Summary

• SGI observed a low-severity threat involving a malicious ‘authorized_keys’ file, suggesting unauthorized SSH access.
• The file was likely delivered via a web redirect, indicating a compromised web server or application.
• The objective is likely unauthorized remote access to systems via SSH.
• The business risk is moderate, potentially leading to data breaches, system downtime, and reputational damage.
• We anticipate an increase in web-based attacks targeting SSH credentials and keys in the coming months.

Observed Activity (SGI Sensors)

SGI sensors detected network traffic from IP address 23.91.96.123, originating from Hong Kong (ASN AS135377). The traffic contained a payload identified as a malicious ‘authorized_keys’ file. The file hash was a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2. VirusTotal analysis suggests the file was likely delivered via a web redirect, potentially targeting compromised web servers or applications. This could allow attackers to gain unauthorized SSH access to targeted systems.

Malware/Technique Overview

The observed malware is a malicious ‘authorized_keys’ file. When added to the .ssh/authorized_keys file of a user account on a Linux or Unix-like system, it grants SSH access to anyone possessing the corresponding private key. The delivery via web redirect suggests a compromised web server or application is being used to distribute the malicious file, potentially as part of a phishing campaign or drive-by download attack. Successful deployment leads to unauthorized system access.

• TA0001 – Initial Access
• T1199 Drive-by Compromise: Attackers compromise websites to deliver malicious content to visitors.
• T1566 Phishing: Attackers use deceptive emails or websites to trick users into divulging sensitive information or downloading malicious files.
• TA0006 – Credential Access
• T1556 Modify Authentication Process: Modify an authentication process to gain unauthorized access.

VirusTotal Snapshot

VirusTotal analysis shows that 29 out of 62 vendors flagged the sample as malicious. 33 vendors did not detect it. Some vendors identify the file as containing malicious SSH keys, while others flag it as a generic HTML file. Several aliases suggest a pattern of compromised keys in various user directories.

Detections: Malicious: 29, Undetected: 33, Harmless: 0

• VirusTotal Sample

Indicators of Compromise (IoCs)

Recommended Retention Period: Monitor these IoCs for at least 90 days.

Detection & Hunting

Use these queries to identify potentially malicious SSH key activity.

Splunk SPL

index=* sourcetype=web  23.91.96.123 AND authorized_keys
| table _time, host, src_ip, dest_ip, uri, file_hash

Elastic/Kibana KQL

source.ip : "23.91.96.123" AND url.path : "authorized_keys"

Note: Validate true positives by examining the contents of downloaded ‘authorized_keys’ files for unusual or unexpected keys. False positives may occur due to legitimate downloads of SSH keys.

Containment, Eradication & Recovery

1. Isolate Affected Systems: Disconnect any systems that downloaded the malicious file from the network to prevent further spread.
2. Block Malicious IP: Block traffic to and from 23.91.96.123 at the firewall.
3. Scan Systems: Run a full system scan with updated antivirus and anti-malware software to detect and remove any malicious files.
4. Review SSH Keys: Examine all .ssh/authorized_keys files for suspicious entries. Remove any unknown or unauthorized keys.
5. Reset Credentials: Reset passwords for any accounts potentially compromised.

Communication: Inform your IT team and leadership about the incident and the steps being taken to address it.

Evidence Preservation: Preserve any logs, network traffic, and file samples related to the incident for forensic analysis.

Hardening & Preventive Controls

Prioritize these controls to improve your security posture:

• Multi-Factor Authentication (MFA) (NIST CSF PR.AC-1, CIS Control 6): Enforce MFA for all SSH logins.
• Endpoint Detection and Response (EDR) (NIST CSF DE.CM-8, CIS Control 10): Tune your EDR solution to detect suspicious file downloads and SSH activity.
• Network Segmentation (NIST CSF PR.AC-3, CIS Control 14): Segment your network to limit the impact of a potential breach.
• Least Privilege (NIST CSF PR.AC-4, CIS Control 5): Grant users only the minimum necessary privileges.
• Patch Management (NIST CSF ID.AM-4, CIS Control 7): Implement a robust patch management process to address vulnerabilities promptly.
• Web Application Firewall (WAF) (NIST CSF PR.DS-1): Implement a WAF to protect web applications from common attacks, including those that could lead to malicious redirects.

Business Impact & Risk Outlook

A successful SSH key compromise can lead to significant operational disruption, including unauthorized access to critical systems, data breaches, and potential ransomware attacks. This can result in financial losses, legal liabilities, and reputational damage.

Forward-Looking Trend: We anticipate an increase in web-based attacks targeting SSH credentials and keys, with attackers leveraging compromised websites and applications to distribute malicious files and gain unauthorized access to internal networks. Organizations should proactively implement the hardening measures outlined above to mitigate this risk.

Appendix

Redacted payload snippet:

[REDACTED SSH PUBLIC KEY DATA]

Assumptions & Data Gaps:

• We assume the attacker’s objective is unauthorized access to systems via SSH.
• We are missing the exact URL used for the web redirect.
• We do not have the full payload of the malicious ‘authorized_keys’ file.

References:

• VirusTotal Sample

Protect your organization from evolving threats with SGI’s comprehensive security solutions. Request an Incident Readiness Review to assess your preparedness and identify areas for improvement. Ensure continuous protection with 24/7 Monitoring with Sentry365™, and leverage the expertise of our vCISO Advisory services to develop a robust security strategy.