Executive Summary

• SGI sensors detected a suspicious file resembling an SSH authorized key being transferred from a host in Chile (186.64.123.41).
• The file’s contents suggest an attempt to inject a malicious SSH key, potentially granting unauthorized remote access.
• Impacted systems are those with SSH enabled and vulnerable to authorized key manipulation.
• The likely objective is unauthorized access to systems via SSH.
• Business risk is moderate, depending on the compromised system’s role and data access.

We anticipate attackers will continue targeting SSH for initial access, necessitating strong key management and intrusion detection.

Observed Activity (SGI Sensors)

On October 14, 2025, SGI sensors detected network activity originating from 186.64.123.41 (AS52368, Chile). The traffic contained a file resembling an SSH authorized key. The filename aliases observed on VirusTotal suggest a pattern of targeting various user home directories for SSH key injection. This activity is indicative of a potential SSH-based intrusion attempt.

Malware/Technique Overview

The detected activity involves an attempt to modify or replace an SSH `authorized_keys` file. This file controls which SSH keys are trusted for login to a user account. By injecting a malicious key, an attacker can gain passwordless SSH access.

• T1190 – Exploit Public-Facing Application (if a vulnerable service facilitated the initial transfer)
• T1078.002 – Valid Accounts: Domain Accounts (if successful in gaining access to a domain account)
• T1059.004 – Command and Scripting Interpreter: Unix Shell
• T1556.002 – Modify Authentication Process: Credentials in Files (specifically, authorized_keys)

VirusTotal Snapshot

VirusTotal analysis shows 29 malicious detections out of 62 total vendors. 33 vendors did not detect the file. Several vendors flagged the file as malicious. The file is identified under various aliases, including “authorized_keys” and a naming convention suggesting attempted placement in different user home directories.

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 90 days.

Detection & Hunting

The following query detects attempts to modify the authorized_keys file:

index=sysmon EventCode=1 TargetFilename=*\.ssh\authorized_keys | stats count by Image, TargetFilename, User

This query searches for file creation events (EventCode=1) where the target filename is “authorized_keys” within the .ssh directory. Review results for unexpected processes or users modifying these files. False positives may include legitimate key management tools.

Containment, Eradication & Recovery

1. Isolate potentially affected systems from the network to prevent further compromise.
2. Block the source IP (186.64.123.41) at the firewall.
3. Scan affected systems with updated antivirus and anti-malware solutions.
4. Reimage any systems where unauthorized SSH keys were successfully injected.
5. Reset SSH keys and passwords for all potentially compromised accounts.

Establish a communication plan to keep IT staff and leadership informed. Preserve all evidence for forensic analysis.

Hardening & Preventive Controls

• Implement Multi-Factor Authentication (MFA) for all SSH access (NIST CSF PR.AC-1, CIS Control 6).
• Tune Endpoint Detection and Response (EDR) systems to detect unauthorized file modifications, especially to critical system files like `authorized_keys` (NIST CSF DE.CM-8, CIS Control 10).
• Implement network segmentation to limit the blast radius of potential intrusions (NIST CSF PR.AC-4, CIS Control 14).
• Enforce the principle of least privilege to limit the impact of compromised accounts (NIST CSF PR.AC-3, CIS Control 5).
• Maintain strict patch management SLAs to address vulnerabilities promptly (NIST CSF ID.SC-2, CIS Control 7).

If SSH is exposed to the internet, restrict access to specific IP ranges and consider using a VPN for remote access.

Business Impact & Risk Outlook

A successful SSH key injection can lead to significant operational disruption, data breaches, and reputational damage. Legal and regulatory compliance may be affected if sensitive data is compromised.

We anticipate an increase in SSH-based attacks in the coming months, driven by the continued prevalence of exposed SSH services and weak key management practices.

Appendix

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>400 Bad Request</title>
</head><body>
<h1>400 Bad Request</h1>
Your browser sent a request that this server could not understand.<p>
Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR /
Instead use the HTTPS scheme to access this URL, please.</p>
<hr><address>Apache/2.4.18 (Ubuntu) Server at bigeyes.geotracker.cl Port 80</address>
</body></html>

• Assumptions & Data Gaps: SensorName and Protocol/Port are empty. The complete payload sample is unavailable, limiting precise behavioral analysis.
• References:
  • VirusTotal Sample

Protect your organization from evolving threats with SGI’s comprehensive security solutions. Request an Incident Readiness Review to assess your current posture and identify vulnerabilities. Ensure continuous protection with 24/7 Monitoring with Sentry365™. For strategic security guidance, consider our vCISO Advisory services.