Executive Summary

• SGI sensors detected suspicious activity originating from IP address 14.103.158.69 in Shanghai, China.
• The activity involves a potentially malicious file identified as an SSH authorized key, suggesting an attempt to gain unauthorized access to systems.
• The likely objective is credential access (MITRE ATT&CK T1078) and subsequent lateral movement within targeted networks.
• The business risk is moderate, potentially leading to data breaches, system compromise, and operational disruption.
• Expect an increase in SSH-related attacks targeting exposed services in the coming months; proactive hardening is essential.

Observed Activity (SGI Sensors)

On August 17, 2025, at 16:53:22 UTC, an SGI sensor detected a potentially malicious file originating from IP address 14.103.158.69, associated with AS4811 (China Telecom) in Shanghai. The file was flagged due to its characteristics resembling an SSH authorized key. The presence of this file suggests a possible attempt to inject malicious SSH keys onto targeted systems. Further investigation is warranted to determine the scope and impact of this activity.

Malware/Technique Overview

The observed activity points to a potential SSH authorized key injection attack. Attackers commonly employ this technique to gain persistent, unauthorized access to systems. The attacker likely gained initial access through brute-force attacks, credential stuffing, or exploiting vulnerabilities in exposed services.

• T1078 – Valid Accounts
• T1550 – Use Alternate Authentication Material
• T1059 – Command and Scripting Interpreter
• T1190 – Exploit Public-Facing Application

VirusTotal Snapshot

VirusTotal analysis of the file (SHA256: a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) shows a score of 29/62 vendors flagging it as malicious, while 33 vendors did not detect it. The file is described as “HTML” and has a size of 389 bytes. Some vendors identify it under aliases such as “authorized_keys” and various timestamped naming conventions.

• Malicious: 29
• Undetected: 33
• Harmless: 0

The number of undetected results is concerning, indicating a potentially novel or obfuscated threat. Due to the large number of vendors and their variability, specific vendor names are not listed.

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk

index=* (14.103.158.0/24 OR a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) 
| table _time, host, source, eventtype, index

Elastic/Kibana KQL

(ip:14.103.158.0/24) OR (hash:a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2)

When investigating alerts, validate whether the flagged SSH keys are legitimate administrative keys or unauthorized additions. Focus on unusual user accounts or directories.

Containment, Eradication & Recovery

1. Isolate Affected Systems: Immediately disconnect any systems showing signs of compromise from the network to prevent further spread.
2. Block Malicious IP: Block traffic to and from 14.103.158.69 at the firewall level.
3. Scan for Malicious Files: Perform a full system scan with updated antivirus and anti-malware solutions, focusing on SSH authorized_keys files.
4. Reimage if Necessary: For severely compromised systems, re-imaging from a known good backup is the most reliable recovery method.
5. Reset Credentials: Reset passwords for all user accounts on affected systems, enforcing strong password policies.

Ensure clear communication between IT, security, and leadership teams throughout the incident response process.

Preserve all relevant logs and artifacts for forensic analysis.

Hardening & Preventive Controls

• Multi-Factor Authentication (MFA): Implement MFA for all remote access services, including SSH (NIST CSF PR.AC-1, CIS Control 6).
• Endpoint Detection and Response (EDR) Tuning: Fine-tune EDR solutions to detect anomalous SSH activity and unauthorized key modifications (NIST CSF DE.CM-1, CIS Control 10).
• Network Segmentation: Segment the network to limit the blast radius of potential compromises (NIST CSF PR.AC-5, CIS Control 14).
• Least Privilege: Enforce the principle of least privilege, limiting user access to only what is necessary (NIST CSF PR.AC-3, CIS Control 5).
• Patch Management: Maintain strict patch SLAs to address vulnerabilities in a timely manner (NIST CSF ID.AM-3, CIS Control 7).
• SSH Hardening: Disable password authentication for SSH, relying solely on key-based authentication. Regularly rotate SSH keys (CIS Controls).

Business Impact & Risk Outlook

A successful SSH key injection attack could lead to significant operational disruption, data breaches, and reputational damage. Legal and compliance risks may arise depending on the sensitivity of compromised data. We anticipate an increase in attackers targeting SSH and other remote access services. Organizations must prioritize hardening their systems and implementing robust detection capabilities.

Appendix

Redacted Payload Snippet:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="[REDACTED]">here</a>.</p>
</body></html>

Assumptions & Data Gaps:

• Sensor name is unavailable.
• Network port is unavailable.
• Exact exploit vector is unknown, assumed to be SSH.

References:

• VirusTotal Sample

SGI is committed to helping organizations proactively defend against emerging threats. Our expert team can assist with threat hunting, incident response, and security posture improvement. Contact us today to learn more about our services.

Request an Incident Readiness Review | 24/7 Monitoring with Sentry365™ | vCISO Advisory