Sentry Global Intelligence & Consulting Group Sentry Global Intelligence & Consulting Group

Compromised SSH Keys via Web Redirect: A Security Alert

Discover fresh insights and innovative ideas by exploring our blog,  where we share creative perspectives

Discover More

Compromised SSH Keys via Web Redirect: A Security Alert

Comments (0)
October 6, 2025
Back To Blog Page

Executive Summary

  • SGI has detected a suspicious file identified as a compromised SSH authorized_keys file.
  • The malware likely spreads via web redirects, injecting malicious SSH keys into target systems.
  • The attacker’s objective is to gain unauthorized remote access to systems.
  • The business risk level is considered moderate, potentially leading to data breaches, system compromise, and operational disruption.
  • Expect to see more sophisticated attacks leveraging web redirects to compromise sensitive system files like SSH keys.

Observed Activity (SGI Sensors)

ObservedAt SensorName SourceIP SourceASN SourceGeo Protocol/Port PayloadPresence Hash
2025-10-06T08:11:47.803Z 47.180.114.XXX AS5650 US tcp/ Yes a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2

SGI sensors detected a connection from IP address 47.180.114.229 (AS5650, Frontier Communications, Los Angeles, CA). The detected traffic contained a file identified as a modified SSH authorized_keys file. VirusTotal analysis indicates that the file is associated with malicious activity and has been flagged by multiple vendors. This activity suggests a potential attempt to inject malicious SSH keys for unauthorized access to systems.

Malware/Technique Overview

The detected malware family 20251004-212000-ada36a6e5468-1-redir__root__ssh_authorized_keys targets SSH access controls by modifying the authorized_keys file. The initial access vector appears to be web redirects, potentially exploiting vulnerabilities or misconfigurations to inject malicious content. Successful injection allows attackers to bypass authentication and gain unauthorized remote access. This technique typically targets servers and network devices that rely on SSH for remote administration.

  • T1190 – Exploit Public-Facing Application
  • T1133 – External Remote Services
  • T1078 – Valid Accounts
  • T1556.002 – Modify Authentication Process: SSH Authorized Keys

VirusTotal Snapshot

VirusTotal analysis of the file (SHA256: a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) shows:

  • Malicious detections: 29
  • Undetected: 33
  • Harmless: 0

Multiple vendors flag this file as malicious or suspicious.

Indicators of Compromise (IoCs)

Type Value Confidence FirstSeen Notes
IP 47.180.114.XXX Medium 2025-10-06T08:11:47.803Z AS5650 Frontier Communications of America, Inc.
Hash a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 High 2025-10-06T08:11:47.803Z SHA256 from VirusTotal

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL

index=* sourcetype=network_traffic dst_ip=47.180.114.0/24 
| stats count by src_ip, dst_port
| where count > 100

Elastic/Kibana KQL

destination.ip : 47.180.114.0/24 AND network.protocol : "tcp"

When investigating, validate that traffic to destination port is expected and that the source IPs are known good. High counts from unknown source IPs is suspicious. Review network logs for connections to the identified IP address and investigate any unusual traffic patterns. Also review web server logs for suspicious redirects involving SSH authorized_keys files.

Containment, Eradication & Recovery

  1. Isolate affected systems: Immediately disconnect any systems exhibiting suspicious activity from the network to prevent further propagation.
  2. Block malicious IP: Add the identified IP address (47.180.114.229) to your firewall blocklist.
  3. Scan systems: Perform a full system scan using updated antivirus and anti-malware solutions to detect and remove any malicious files.
  4. Reimage compromised systems: If the compromise is severe, consider reimaging affected systems to ensure complete eradication of the malware.
  5. Reset credentials: Reset passwords for all user accounts, especially those with SSH access, and enforce strong password policies.

Inform IT and leadership about the incident, including the scope, impact, and remediation steps. Preserve all relevant logs and network traffic data for forensic analysis.

Hardening & Preventive Controls

  1. Implement Multi-Factor Authentication (MFA) (NIST CSF PR.AC-1, CIS Control 6): Enforce MFA for all remote access services, including SSH, to prevent unauthorized access even with compromised credentials.
  2. Tune Endpoint Detection and Response (EDR) solutions (NIST CSF DE.CM-1, CIS Control 8): Configure EDR solutions to detect and block malicious file modifications, including unauthorized changes to SSH authorized_keys files.
  3. Implement Network Segmentation (NIST CSF PR.AC-4, CIS Control 14): Segment the network to limit the lateral movement of attackers in case of a successful compromise.
  4. Apply Least Privilege Principle (NIST CSF PR.AC-3, CIS Control 5): Grant users only the minimum necessary privileges to perform their tasks, reducing the potential impact of compromised accounts.
  5. Patch Management SLAs (NIST CSF PR.PT-1, CIS Control 7): Ensure timely patching of systems to address known vulnerabilities that could be exploited for web redirect attacks.
  6. Disable SSH password authentication (NIST CSF PR.AC-1, CIS Control 6): Rely exclusively on SSH keys and disable password authentication to prevent brute-force attacks.

Business Impact & Risk Outlook

A successful SSH key compromise can lead to significant operational disruption, data breaches, and reputational damage. Attackers can gain unauthorized access to critical systems, steal sensitive data, and disrupt business operations. Legal and regulatory compliance may be affected if compromised data includes personally identifiable information (PII) or protected health information (PHI).

We anticipate an increase in attacks leveraging web redirects to compromise sensitive system files. Organizations should prioritize hardening SSH configurations and implementing robust web security measures to mitigate this risk.

Appendix

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
The document has moved <a href="http://[REDACTED]/redirect__root__ssh_authorized_keys">here</a>.
</body></html>

Assumptions & Data Gaps

  • The exact payload delivered via the redirect is not fully available, so the full scope of compromise is unknown.
  • We are assuming standard TCP port 22 is being used for SSH.
  • Sensor name data is missing.

References

Protect your organization from evolving threats with Sentry Global Intelligence & Consulting Group (SGI). Request an Incident Readiness Review to assess your security posture. Gain peace of mind with 24/7 Monitoring with Sentry365™. Strengthen your leadership with vCISO Advisory services.

Leave A Comment

Categories

Recent Posts

No labels available

Observed Network Activity: Potential Redirection Exploit

No labels available

Potential SSH Key Compromise via Malicious Redirect

No labels available

Observed Activity: Suspicious JavaScript Framework Detection

Tags

Cleaning Services critical infrastructures cybersecurity Desimo Enterprises Engineering Systems IT malware attacks OT security services security sevices Sentry Global Intelligence Stay Frosty

Create your account