Executive Summary

• SGI observed a low-severity attempt to inject an SSH authorized key on a monitored system.
• The attack originates from IP address 162.240.39.179, associated with AS46606 (Unified Layer) in Provo, Utah.
• The likely objective is to gain unauthorized remote access to the compromised system via SSH.
• The business risk is currently low, but could escalate quickly if the attack were successful.
• Organizations should monitor for similar activity and review SSH key management practices.

We anticipate attackers will continue targeting SSH configurations to gain unauthorized access, necessitating robust monitoring and key management practices.

Observed Activity (SGI Sensors)

On November 17, 2025, at 08:58:51 UTC, SGI sensors detected suspicious activity originating from IP address 162.240.39.179. The traffic was identified as an attempt to inject data into the authorized_keys file, a critical component for SSH authentication. The source IP is associated with AS46606 (Unified Layer) in Provo, Utah. The detected payload contains content consistent with an attempt to add a malicious SSH key to the target system.

Malware/Technique Overview

The detected activity is classified as an attempt to modify the .ssh/authorized_keys file. This is a common technique used by attackers to gain persistent, unauthorized access to a system. By injecting their own SSH key into this file, an attacker can bypass password authentication and log in directly using their private key.

• T1187 – Forced Authentication
• T1078.002 – Valid Accounts: Domain Accounts
• T1556.002 – Modify Authentication Process: SSH Keys
• TA0006 – Credential Access

VirusTotal Snapshot

VirusTotal analysis of the detected hash (a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) shows a detection ratio of 29/62. The file is identified as HTML, suggesting it contains the malicious SSH key embedded within HTML code. Several vendors flag the sample under various names related to “authorized_keys” redirection.

• Malicious detections: 29
• Undetected: 33
• Harmless: 0

Notable aliases include:

• 20251117-045959-a28c9b54668b-1-redir__home_newuser1__ssh_authorized_keys
• 20251116-212501-1fae26ea846a-1-redir__home_hadoop__ssh_authorized_keys
• 20251116-075459-bbf5f84f51ed-1-redir__root__ssh_authorized_keys

Analysis suggests a widespread campaign targeting various usernames to inject malicious SSH keys.

• VirusTotal Sample

Indicators of Compromise (IoCs)

We recommend monitoring these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL

index=* (a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 OR 162.240.39.0/24) 
| table _time, host, source, eventtype

Elastic/Kibana KQL

(hash.sha256:"a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2" or source.ip : "162.240.39.0/24")

Wazuh/OSSEC Rule Idea

  530
  /home/.*/.ssh/authorized_keys
  Possible SSH authorized_keys modification detected

When investigating, ensure that legitimate administrative changes to authorized_keys files are excluded. Filter known-good baselines.

Containment, Eradication & Recovery

1. Isolate: Disconnect the affected system from the network to prevent further compromise.
2. Block: Block the source IP address (162.240.39.179) at the firewall to prevent further communication.
3. Scan: Perform a full system scan with updated anti-malware software to detect any other potential malware.
4. Reimage (if needed): If the system is heavily compromised, consider reimaging it from a trusted backup.
5. Credential Resets: Reset SSH keys and passwords for all affected accounts, especially those with access to the compromised system.

Inform relevant IT and leadership stakeholders about the incident and remediation steps. Preserve all relevant logs and artifacts for potential forensic analysis.

Hardening & Preventive Controls

1. Multi-Factor Authentication (MFA): Enforce MFA for all SSH logins (NIST CSF: PR.AC-1, CIS Control 6).
2. EDR Tuning: Tune Endpoint Detection and Response (EDR) systems to detect unauthorized modification of authorized_keys files (NIST CSF: DE.CM-1, CIS Control 10).
3. Network Segmentation: Implement network segmentation to limit the blast radius of a potential compromise (NIST CSF: PR.AC-5, CIS Control 14).
4. Least Privilege: Enforce the principle of least privilege, ensuring that users only have the necessary permissions to perform their tasks (NIST CSF: PR.AC-3, CIS Control 5).
5. Patch SLAs: Maintain and enforce strict patch SLAs for all systems and software (NIST CSF: PR.PT-1, CIS Control 7).

If SSH is exposed to the internet, consider restricting access to specific IP addresses or using a VPN. Disable password authentication and rely solely on SSH keys.

Business Impact & Risk Outlook

A successful SSH key injection can lead to unauthorized access, data theft, and disruption of services. The potential impact includes operational downtime, legal liabilities (related to data breaches), and reputational damage.

We anticipate an increase in SSH-based attacks in the next 3-6 months, targeting organizations with weak SSH key management practices and exposed SSH services.

Appendix

<!DOCTYPE html>
<html>
<head>
<title>400 Bad Request</title>
</head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
<!-- a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 -->

Assumptions & Data Gaps

• We assume the provided data represents a genuine malicious attempt.
• The sensor name and network port are missing from the data.
• The full payload content beyond the hash is not available.

References

• VirusTotal Sample

Is your organization prepared to handle sophisticated SSH attacks? SGI can help. Request an Incident Readiness Review to identify vulnerabilities and strengthen your defenses. Ensure continuous protection with 24/7 Monitoring with Sentry365™, or get expert guidance with a dedicated vCISO Advisory.