Executive Summary

• SGI has detected a potentially malicious modification of SSH authorized keys.
• The affected systems could be servers or workstations accessible via SSH.
• The attacker’s likely objective is to establish persistent, passwordless access.
• Business risk is moderate to high, depending on the compromised system’s role.

Expect to see continued attempts to exploit SSH misconfigurations and weak credentials as attackers seek to maintain access and move laterally within networks.

Observed Activity (SGI Sensors)

SGI sensors detected a suspicious file with an associated hash originating from IP address 182.253.156.184. The file, identified as a potential modification to SSH authorized keys, triggered alerts based on its content and association with known malicious patterns. The source IP is located in Jakarta, Indonesia, and belongs to ASN AS17451 (BIZNET NETWORKS). Further analysis revealed the file contains HTML, suggesting a possible redirection or injection attempt.

Malware/Technique Overview

The detected activity is associated with unauthorized modification of SSH authorized keys. This technique allows attackers to gain persistent access to systems by adding their own SSH keys to the authorized_keys file, enabling passwordless login. The initial access vector is currently unknown but could include:

• Compromised credentials (obtained via phishing or brute-force attacks).
• Exploitation of vulnerabilities in SSH or related services.
• Social engineering to trick users into adding malicious keys.

Typical targets include servers, workstations, and network devices that rely on SSH for remote access and administration.

MITRE ATT&CK Mapping:

• T1133 – External Remote Services
• T1078 – Valid Accounts
• T1098.004 – Account Manipulation: SSH Keys [TA0006 Credential Access, TA0003 Persistence]
• T1556.002 – Modify Authentication Process: Pluggable Authentication Modules [TA0006 Credential Access, TA0003 Persistence]

VirusTotal Snapshot

VirusTotal analysis shows 29 out of 62 vendors flagged the sample as malicious. 33 vendors did not detect the sample. Several aliases are associated with the sample, including variations of “authorized_keys” and paths suggesting attempts to inject keys into different user accounts. No specific vendor names stand out significantly.

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL:

index=* source=*ssh* eventtype=sshd OR index=* file_hash="a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2" | search "Pubkey accepted" OR "Invalid user" | table _time, host, user, src_ip, eventtype, file_hash

This query searches SSH logs for successful public key authentication events or invalid user attempts combined with presence of the malicious hash value. Review the results carefully to distinguish legitimate key rotations from unauthorized additions.

Containment, Eradication & Recovery

1. Isolate affected systems from the network to prevent further compromise.
2. Block the malicious IP address (182.253.156.184) at the firewall.
3. Scan all systems for unauthorized SSH keys in ~/.ssh/authorized_keys files. Use a tool like ssh-audit to identify weak or suspicious keys.
4. Reimage severely compromised systems to ensure complete eradication.
5. Reset user passwords, especially for accounts that may have been compromised.

Communicate the incident to IT staff and leadership. Preserve evidence (logs, disk images) for forensic analysis.

Hardening & Preventive Controls

• Multi-Factor Authentication (MFA) (NIST CSF PR.AC-1, CIS Control 6): Enforce MFA for all SSH access.
• Endpoint Detection and Response (EDR) Tuning (NIST CSF DE.CM-1, CIS Control 8): Configure EDR solutions to detect unauthorized file modifications and suspicious SSH activity.
• Network Segmentation (NIST CSF PR.AC-4, CIS Control 14): Segment the network to limit the blast radius of a potential compromise.
• Least Privilege (NIST CSF PR.AC-3, CIS Control 5): Grant users only the necessary privileges.
• Patch Management (NIST CSF PR.PT-1, CIS Control 7): Implement a robust patch management process to address vulnerabilities promptly.
• SSH Hardening: Disable password authentication, use key-based authentication only, restrict SSH access to specific IP addresses or networks, and regularly audit SSH configurations.

Business Impact & Risk Outlook

A successful SSH key compromise can lead to significant operational disruption, data breaches, and reputational damage. Legal and compliance ramifications may arise depending on the sensitivity of the data accessed. Expect an increase in automated attacks targeting SSH, especially as attackers refine their techniques for identifying and exploiting vulnerable systems. Monitor logs and enforce security best practices.

Appendix

Assumptions & Data Gaps:

• The initial access vector used to modify the SSH keys is unknown.
• The full scope of the compromise is not yet determined.
• The purpose of the injected HTML is unknown

References:

• VirusTotal Sample

SGI is committed to providing timely and actionable threat intelligence to protect your organization. Request an Incident Readiness Review to proactively assess your security posture. Ensure continuous protection with 24/7 Monitoring with Sentry365™. For strategic guidance and expert support, consider our vCISO Advisory services.