Potential SSH Key Compromise via Malicious Redirect
Executive Summary
- SGI detected a malicious HTML file attempting to inject unauthorized SSH keys into a system.
- The activity originates from IP address 176.109.67.96, geolocated to Moscow, Russia.
- The likely objective is to gain unauthorized access to systems via SSH.
- The business risk is high, potentially leading to data breaches, system compromise, and lateral movement within the network.
Organizations should immediately review SSH key management practices and monitor for suspicious login activity.
Observed Activity (SGI Sensors)
| ObservedAt | SensorName | SourceIP | SourceASN | SourceGeo | Protocol/Port | PayloadPresence | Hash |
|---|---|---|---|---|---|---|---|
| 2025-11-28T09:31:09.486Z | 176.109.67.XXX | AS60490 | RU | tcp/ | Yes | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 |
On November 28, 2025, SGI sensors detected a suspicious connection from 176.109.67.96 (AS60490, Moscow, Russia). The traffic involved an HTML payload, flagged as potentially malicious. VirusTotal analysis indicates the file is associated with attempts to inject SSH keys, likely targeting various user directories (e.g., root, ubuntu, odin). The attacker is likely attempting to gain persistent, unauthorized access to systems via SSH key injection.
Malware/Technique Overview
The detected file belongs to a malware family associated with SSH key injection via malicious redirects. The attacker likely compromises a web server to host a malicious HTML file. When a user visits the compromised site (or is redirected to it), the HTML attempts to inject an SSH key into the user’s `~/.ssh/authorized_keys` file. If successful, the attacker can then log in to the user’s account via SSH without needing the user’s password.
- T1190 – Exploit Public-Facing Application
- T1189 – Drive-by Compromise
- T1078.001 – Valid Accounts: Default Accounts
- T1059.004 – Command and Scripting Interpreter: Unix Shell
- T1555.004 – Credentials from Password Stores: SSH Keys
VirusTotal Snapshot
VirusTotal analysis of the file (SHA256: a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) shows:
- Malicious detections: 30
- Undetected: 31
- Harmless: 0
Many vendors flag this as a malicious HTML file injecting SSH authorized keys.
Indicators of Compromise (IoCs)
| Type | Value | Confidence | FirstSeen | Notes |
|---|---|---|---|---|
| ip | 176.109.67.XXX | medium | 2025-11-28T09:31:09.486Z | AS60490 MTS PJSC |
| hash | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 | high | 2025-11-28T09:31:09.486Z | SHA256 from VirusTotal |
Recommended retention period: Monitor these IoCs for at least 90 days.
Detection & Hunting
Splunk SPL
index=* sourcetype=http_access "authorized_keys" OR "ssh-rsa" OR "ssh-dss" 176.109.67.0/24
| table _time, host, src_ip, dest_ip, uri, user_agentThis query searches for HTTP access logs containing terms related to SSH keys or the IP address associated with this activity. Review results carefully for unexpected SSH key activity or access from the suspect IP range. False positives may include legitimate SSH key downloads or updates.
Containment, Eradication & Recovery
- Isolate affected systems: Immediately disconnect any systems suspected of compromise from the network to prevent further lateral movement.
- Block malicious IP: Block 176.109.67.96 on your firewall and intrusion detection/prevention systems.
- Scan for unauthorized keys: Scan all systems for unauthorized SSH keys in `~/.ssh/authorized_keys` files.
- Reimage compromised systems: If a system is confirmed to be compromised, reimage it from a known-good backup or image.
- Reset credentials: Reset passwords for all accounts that may have been accessed or compromised.
Inform IT and leadership about the incident and remediation steps. Preserve system logs and network traffic for forensic analysis.
Hardening & Preventive Controls
- Implement Multi-Factor Authentication (MFA) (NIST CSF PR.AC-1, CIS Control 6): Enforce MFA for all SSH logins to prevent unauthorized access even if SSH keys are compromised.
- Regularly Audit SSH Keys (NIST CSF DE.CM-8, CIS Control 5): Implement a process for regularly auditing authorized SSH keys and removing any that are no longer needed.
- Web Application Firewall (WAF) (NIST CSF PR.DS-2, CIS Control 14): Use a WAF to protect web applications from malicious redirects and other attacks.
- Principle of Least Privilege (NIST CSF PR.AC-3, CIS Control 5): Ensure users only have the minimum necessary privileges to perform their job functions.
- Patch Management (NIST CSF PR.PT-1, CIS Control 7): Keep all systems and software up-to-date with the latest security patches.
Since this attack vector involves potential web server compromise, ensure web servers are properly hardened and monitored for suspicious activity. Enable logging and regularly review logs for signs of intrusion.
Business Impact & Risk Outlook
A successful SSH key compromise could lead to significant operational disruption, data breaches, and reputational damage. Legal and regulatory consequences may arise depending on the sensitivity of the compromised data. The risk level is considered high.
Over the next 3-6 months, we anticipate an increase in attacks targeting SSH keys as a means of gaining unauthorized access to systems. Organizations should prioritize hardening their SSH configurations and implementing robust monitoring and detection capabilities.
Appendix
Redacted payload snippet (note: full payload is HTML):
<html><body><script>...redacted...ssh-rsa AAAAB3NzaC1yc2E...redacted...</script></body></html>Assumptions & Data Gaps
- SensorName is missing from the provided data.
- Network port is missing, assuming standard TCP port usage.
- The exact initial access vector is not known (assumed to be web redirect).
References
Concerned about your organization’s vulnerability to similar attacks? Request an Incident Readiness Review from SGI today. Ensure continuous protection with 24/7 Monitoring with Sentry365™, and leverage our expertise with vCISO Advisory services.