Sentry Global Intelligence & Consulting Group Sentry Global Intelligence & Consulting Group

Unauthorized SSH Key Activity Detected from Beijing

Discover fresh insights and innovative ideas by exploring our blog,  where we share creative perspectives

Discover More

Unauthorized SSH Key Activity Detected from Beijing

Comments (0)
August 14, 2025
Back To Blog Page

Executive Summary

  • Sentry Global Intelligence (SGI) detected a file identified as authorized_keys.
  • The activity originated from IP address 120.48.112.208, associated with AS38365 (Baidu Netcom Science and Technology Co., Ltd.) in Beijing, China.
  • VirusTotal analysis indicates a high maliciousness score, with 29 vendors flagging the file as malicious.
  • The likely objective is unauthorized access to systems via SSH.
  • Business risk is high due to potential data breach, system compromise, and service disruption.

Organizations should immediately investigate and remediate this activity to prevent unauthorized access and potential damage.

Observed Activity (SGI Sensors)

ObservedAt SensorName SourceIP SourceASN SourceGeo Protocol/Port PayloadPresence Hash
2025-08-13T20:58:26.732Z 120.48.112.XXX AS38365 CN tcp/ Yes a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2

On August 13, 2025, SGI sensors detected network activity originating from IP address 120.48.112.208. The source IP is associated with Baidu Netcom Science and Technology Co., Ltd. in Beijing, China. The detected traffic contained a file identified as authorized_keys. VirusTotal results show a high maliciousness score, indicating a significant risk.

Malware/Technique Overview

The detected file is identified as authorized_keys, which is used for SSH authentication. A malicious authorized_keys file can grant unauthorized access to systems without requiring a password. This is a common technique used by attackers to gain persistent access to compromised systems.

This activity aligns with the following MITRE ATT&CK techniques:

  • T1078.004 – Valid Accounts: Cloud Accounts
  • T1556.002 – Modify Authentication Process: SSH Keys
  • TA0006 – Credential Access

VirusTotal Snapshot

VirusTotal analysis of the detected file shows:

  • Malicious detections: 29
  • Undetected: 32
  • Harmless: 0

Multiple vendors flagged the file as malicious. This confirms the high risk associated with this activity.

Indicators of Compromise (IoCs)

Type Value Confidence FirstSeen Notes
IP 120.48.112.XXX Medium 2025-08-13T20:58:26.732Z AS38365 Beijing Baidu Netcom Science and Technology Co., Ltd.
Hash a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 High 2025-08-13T20:58:26.732Z SHA256 from VirusTotal

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL

index=* file_name="authorized_keys" hash="a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2"
| table _time, host, source, user

This query searches for the SHA256 hash and filename in your logs. Investigate any matches immediately.

Containment, Eradication & Recovery

  1. Isolate affected systems from the network to prevent further spread.
  2. Block the identified IP address (120.48.112.208) at the firewall.
  3. Scan all systems for the presence of unauthorized authorized_keys files.
  4. Remove any unauthorized keys immediately.
  5. Reset user credentials if compromise is suspected.
  6. Review SSH access logs for suspicious activity.

Communicate the incident to IT staff and leadership. Preserve evidence for potential forensic analysis.

Hardening & Preventive Controls

  • Disable SSH password authentication and require key-based authentication (CIS Control 6).
  • Implement Multi-Factor Authentication (MFA) for SSH access (CIS Control 5).
  • Regularly audit authorized_keys files for unauthorized entries (NIST CSF ID.AM-2).
  • Use a centralized key management system to manage SSH keys (NIST CSF PR.AC-4).
  • Implement Network Segmentation to limit the impact of potential compromises (NIST CSF PR.AC-3).

Business Impact & Risk Outlook

The potential business impact is high, given the risk of unauthorized access to critical systems. This could lead to:

  • Data Breach: Exfiltration of sensitive data.
  • System Compromise: Control of critical systems by attackers.
  • Service Disruption: Disruption of critical services due to system compromise.

Over the next 3-6 months, we expect to see an increase in attacks targeting SSH keys. Organizations should proactively monitor for unauthorized SSH key activity and implement robust security controls to mitigate potential risks.

Appendix

Assumptions & Data Gaps

  • We assume the available VirusTotal data is accurate.
  • We lack information about the specific contents of the authorized_keys file.
  • The specific SSH usernames targeted are unknown.

References

Protect your organization from emerging threats. Request an Incident Readiness Review from SGI. Gain peace of mind with 24/7 Monitoring with Sentry365™. For strategic security guidance, explore our vCISO Advisory services.

Leave A Comment

Categories

Recent Posts

No labels available

Observed Network Activity: Potential Redirection Exploit

No labels available

Potential SSH Key Compromise via Malicious Redirect

No labels available

Observed Activity: Suspicious JavaScript Framework Detection

Tags

Cleaning Services critical infrastructures cybersecurity Desimo Enterprises Engineering Systems IT malware attacks OT security services security sevices Sentry Global Intelligence Stay Frosty

Create your account