Executive Summary

• SGI sensors detected a low-severity attempt to inject SSH keys, potentially granting unauthorized access to systems.
• The attack vector appears to involve redirection to malicious authorized_keys files hosted on compromised web servers.
• The likely objective is to gain persistent, unauthorized access to targeted systems via SSH.
• Business risk is moderate, encompassing data breaches, system compromise, and potential service disruption.
• Expect increased sophistication in redirection techniques and payload obfuscation in the near future.

Observed Activity (SGI Sensors)

An SGI sensor detected network traffic originating from IP address 27.254.235.4 (AS4750, Thailand). The traffic contained a payload identified as a potentially malicious authorized_keys file, indicated by its SHA256 hash. The detection suggests an attempt to inject this key into a system, potentially granting unauthorized SSH access. The source IP has been observed associated with similar malicious activity, including attempts to redirect requests for authorized_keys files. Further investigation is warranted to determine the extent of the compromise and identify affected systems.

Malware/Technique Overview

The observed malware family, 20251011-032359-8b62384ab05d-1-redir__home_lab__ssh_authorized_keys, indicates a redirection attack targeting SSH authorized keys. This suggests that an attacker has compromised a web server and is using it to serve malicious authorized_keys files. When a system attempts to retrieve an authorized_keys file (e.g., via curl or wget), it is redirected to the compromised server, which serves the malicious key. This allows the attacker to gain SSH access to the system without needing to crack passwords.

• T1199 – Server Software Component: Exploit Public-Facing Application
• T1555.004 – Credentials from Password Stores: SSH Keys
• T1588.006 – Obtain Capabilities: Vulnerabilities
• T1189 – Drive-by Compromise

VirusTotal Snapshot

VirusTotal analysis shows a score of 29/62 vendors flagging the sample as malicious, while 33 vendors have it as undetected. The file is described as HTML, and its size is 389 bytes. The high number of malicious detections, combined with the authorized_keys filename and redirection-related aliases, strongly suggests malicious intent.

• Malicious detections: 29
• Undetected: 33
• Harmless: 0

Links

• VirusTotal Sample

Indicators of Compromise (IoCs)

Recommended retention period: monitor for 90 days.

Detection & Hunting

Splunk SPL

index=* (source="*authorized_keys*" OR file="*authorized_keys*") AND (27.254.235.* OR a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2)
| table _time, host, source, file, _raw

This query searches for logs containing “authorized_keys” in the source or file name and also includes the IP address or SHA256 hash. Review results for unexpected downloads or modifications to authorized_keys files. False positives may include legitimate administrative tasks involving SSH keys.

Containment, Eradication & Recovery

1. Isolate affected systems from the network to prevent further compromise.
2. Block the malicious IP address (27.254.235.4) at the firewall.
3. Scan all systems for the presence of the malicious SHA256 hash (a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) in authorized_keys files.
4. Reimage any compromised systems to ensure complete eradication of the malware.
5. Reset SSH keys and passwords on all affected systems.

Communicate the incident to IT staff and leadership. Preserve all relevant logs and evidence for forensic analysis.

Hardening & Preventive Controls

1. Implement Multi-Factor Authentication (MFA) for all SSH access (NIST CSF PR.AC-1, CIS Control 6).
2. Tune Endpoint Detection and Response (EDR) systems to detect suspicious activity related to SSH key modifications (NIST CSF DE.CM-1, CIS Control 8).
3. Implement Network Segmentation to limit the blast radius of a potential compromise (NIST CSF PR.AC-4, CIS Control 5).
4. Enforce Least Privilege principles for user accounts and system access (NIST CSF PR.AC-3, CIS Control 4).
5. Maintain Patch SLAs to ensure timely patching of web servers and other internet-facing systems (NIST CSF PR.PT-1, CIS Control 7).
6. Disable SSH Password Authentication: Rely exclusively on SSH keys and MFA.

Business Impact & Risk Outlook

A successful SSH key injection attack can lead to significant operational disruption, data breaches, and reputational damage. Legal and compliance risks may arise from the unauthorized access and potential data exfiltration. Over the next 3-6 months, we anticipate an increase in these attacks, coupled with more sophisticated redirection techniques and payload delivery methods. Organizations should prioritize SSH security and web server hardening to mitigate this growing threat.

Appendix

Assumptions & Data Gaps

• We assume that the provided data represents a complete picture of the observed activity.
• The sensor name and payload sample were not provided.

References

• VirusTotal Sample

Protect your organization from emerging threats with Sentry Global Intelligence & Consulting Group (SGI). Request an Incident Readiness Review to assess your security posture and identify vulnerabilities. Ensure continuous protection with 24/7 Monitoring with Sentry365™. For strategic security guidance, consider our vCISO Advisory services.