Executive Summary

• SGI detected a low-severity threat involving attempts to redirect SSH authorized keys.
• Compromised systems could grant unauthorized SSH access to attackers.
• The likely objective is to gain persistent and privileged access to targeted systems.
• Business risk is moderate, potentially leading to data breaches, service disruptions, or lateral movement within the network.

Organizations should enhance SSH security measures and monitor for suspicious activity related to authorized key modifications.

Observed Activity (SGI Sensors)

On November 6, 2025, SGI sensors detected suspicious network activity originating from IP address 14.103.115.106, located in Shanghai, China and associated with ASN AS137718 (Beijing Volcano Engine Technology Co., Ltd.). The activity involved a TCP connection and included a payload. Analysis of the payload revealed a file hash associated with potential SSH authorized key redirection attempts. The detected activity is classified as low severity, but warrants investigation due to the potential for unauthorized access.

Malware/Technique Overview

The observed activity is associated with a malware family related to the redirection of SSH authorized keys. This technique allows attackers to gain unauthorized access to systems by modifying the authorized_keys file, which controls SSH key-based authentication. When a user attempts to connect via SSH, the modified file can redirect the connection to an attacker-controlled server or grant them direct access without proper authorization.

• T1190 – Exploit Public-Facing Application
• T1078.003 – Valid Accounts: Local Accounts
• T1059.004 – Command and Scripting Interpreter: Unix Shell
• T1556.002 – Modify Authentication Process: SSH Authorized Keys

VirusTotal Snapshot

VirusTotal analysis of the identified hash (a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) shows 29 out of 62 vendors flagging it as malicious. While many vendors remain undetected, the number of malicious detections suggests a potential threat.

Some notable aliases identified by VirusTotal include variations of “redir__root__ssh_authorized_keys” and similar patterns targeting other user directories.

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

The following queries can be used to detect similar activity within your environment:

Splunk

index=* src_ip=14.103.115.0/24  | stats count by dest_ip, dest_port
| `ip_reputation`

This query searches for connections originating from the specified IP range. Examine the results for unusual destination IPs or ports. Validate true positives by correlating with other security events and network logs. Investigate any unusual SSH activity.

Elastic/Kibana KQL

source.ip : 14.103.115.0/24

This KQL query searches for events where the source IP address falls within the 14.103.115.0/24 subnet. Review the logs to find any events associated with SSH activity. False positives could include legitimate traffic from VPNs or cloud services. Validate by reviewing the destination IP, port, and associated user accounts.

Containment, Eradication & Recovery

1. Isolate: Immediately isolate any affected systems from the network to prevent further compromise.
2. Block: Block the identified malicious IP address (14.103.115.106) at the firewall and other network security devices.
3. Scan: Perform a full system scan on potentially affected hosts using updated antivirus and anti-malware solutions.
4. Reimage: If the system is heavily compromised or cannot be reliably cleaned, consider reimaging it from a known-good backup.
5. Credential Reset: Reset passwords for all user accounts on the affected systems and enforce strong password policies.

Ensure IT and leadership are informed of the situation. Preserve all relevant logs and artifacts for forensic analysis.

Hardening & Preventive Controls

• Multi-Factor Authentication (MFA): Implement MFA for all SSH connections (NIST CSF: PR.AC-1, CIS Control 6).
• EDR Tuning: Tune Endpoint Detection and Response (EDR) solutions to detect anomalous behavior, including unauthorized modifications to SSH authorized keys (NIST CSF: DE.CM-1, CIS Control 10).
• Network Segmentation: Implement network segmentation to limit the blast radius of potential compromises (NIST CSF: PR.AC-5, CIS Control 14).
• Least Privilege: Enforce the principle of least privilege, ensuring users only have the necessary permissions (NIST CSF: PR.AC-3, CIS Control 5).
• Patch Management: Maintain timely patch SLAs for operating systems and applications (NIST CSF: ID.AM-4, CIS Control 7).
• SSH Hardening: Disable password-based authentication for SSH and only allow key-based authentication. Regularly review and rotate SSH keys (CIS Control 8).

Business Impact & Risk Outlook

Compromise via SSH authorized key redirection can lead to significant operational disruptions, including unauthorized access to critical systems and data breaches. Legal risks include potential violations of data privacy regulations. Reputational damage can result from public disclosure of a security incident.

We anticipate an increase in SSH-related attacks over the next 3-6 months as attackers continue to target this widely used protocol. Organizations should prioritize strengthening SSH security measures.

Appendix

Assumptions & Data Gaps:

• We assume that the available data is representative of the overall threat activity.
• The specific commands executed after SSH access is gained are unknown.
• The full extent of the attacker’s infrastructure is unknown.

References:

• VirusTotal Sample

Protect your organization from emerging threats with Sentry Global Intelligence & Consulting Group (SGI). Request an Incident Readiness Review to assess your security posture and identify vulnerabilities. Gain continuous threat monitoring and rapid response capabilities with 24/7 Monitoring with Sentry365™. Leverage our expertise to develop a robust security strategy with vCISO Advisory.