Executive Summary

• SGI detected a low-severity attempt to inject an unauthorized SSH key.
• The attack source originates from IP address 121.204.171.142, ASN AS133774 in Fuzhou, China.
• The likely objective is to gain unauthorized remote access to systems via SSH.
• The business risk is moderate, potentially leading to data breaches, system compromise, and operational disruption.
• We anticipate further attempts to exploit SSH vulnerabilities and weak credentials in the coming months.

Observed Activity (SGI Sensors)

On October 10, 2025, at 08:59:53 UTC, SGI sensors detected a network connection from IP address 121.204.171.142. The connection, utilizing the TCP protocol, carried a payload identified as a potentially malicious SSH authorized key. The source IP is associated with ASN AS133774 and geolocates to Fuzhou, China. The payload hash has been flagged by VirusTotal as malicious, indicating a potential attempt to inject unauthorized keys for SSH access.

Malware/Technique Overview

The detected activity appears to be an attempt to inject an unauthorized SSH key into the authorized_keys file of a user account. This technique allows attackers to gain persistent remote access to the compromised system without needing the user’s password. The observed aliases on VirusTotal such as ...redir__home_user2__ssh_authorized_keys indicate the attempt to inject the key into a specific user’s home directory.

• T1190 – Exploit Public-Facing Application (if vulnerability is exploited to achieve initial access)
• T1078.003 – Valid Accounts: Local Accounts (if leveraging existing local accounts)
• T1556.002 – Modify Authentication Process: SSH Keys
• T1059.004 – Command and Scripting Interpreter: Unix Shell (for executing commands after gaining access)

VirusTotal Snapshot

VirusTotal analysis of the SHA256 hash (a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) shows 29 malicious detections out of 62 total scans, with 33 vendors remaining undetected. This suggests a moderate level of confidence in the malicious nature of the sample.

Some notable vendor names detecting the sample may include (but are not limited to) firms specializing in Linux malware detection or heuristic analysis.

• VirusTotal Sample

Indicators of Compromise (IoCs)

It is recommended to monitor these IoCs for at least 30 days.

Detection & Hunting

Splunk SPL

index=* sourcetype=network_traffic src_ip=121.204.171.0/24 
| search _raw="ssh_authorized_keys" OR _raw="ssh-rsa" OR _raw="ssh-dss"
| table _time, src_ip, dest_ip, user, _raw

This query searches for network traffic originating from the specified IP range that contains strings commonly found in SSH authorized keys. Be mindful of false positives arising from legitimate SSH key exchanges.

Elastic/Kibana KQL

source.ip : 121.204.171.0/24 AND (message : "ssh_authorized_keys" OR message : "ssh-rsa" OR message : "ssh-dss")

This KQL query searches for logs with a source IP within the specified range that contain relevant SSH key strings.

Containment, Eradication & Recovery

1. Isolate Affected Systems: Immediately disconnect any systems showing signs of compromise from the network to prevent further lateral movement.
2. Block Malicious IP: Add the malicious IP (121.204.171.142) to your firewall blocklist.
3. Scan for Unauthorized Keys: Scan all systems for unauthorized SSH keys in user .ssh/authorized_keys files.
4. Reimage Compromised Systems: If unauthorized keys are found, reimage the affected systems from a known good backup.
5. Reset Credentials: Reset passwords for all user accounts on potentially compromised systems.

Ensure clear communication between IT, security, and leadership teams throughout the incident response process.

Preserve all relevant logs and network traffic for forensic analysis.

Hardening & Preventive Controls

• Multi-Factor Authentication (MFA): Implement MFA for all SSH logins (NIST CSF PR.AC-1, CIS Control 6).
• Endpoint Detection and Response (EDR) Tuning: Configure EDR solutions to detect unauthorized SSH key modifications (NIST CSF DE.CM-1, CIS Control 10).
• Network Segmentation: Segment the network to limit the blast radius of a potential compromise (NIST CSF PR.AC-4, CIS Control 14).
• Least Privilege: Enforce the principle of least privilege to limit the impact of compromised accounts (NIST CSF PR.AC-3, CIS Control 5).
• Patch Management: Maintain an aggressive patch schedule for all systems, especially those exposed to the internet (NIST CSF PR.PT-1, CIS Control 7).
• Disable Password Authentication for SSH: Use key-based authentication only for SSH.

Business Impact & Risk Outlook

A successful SSH key injection can lead to significant operational disruption, data breaches, and reputational damage. Legal and compliance ramifications may arise due to unauthorized access and potential data exfiltration.

We anticipate an increase in automated attacks targeting SSH and other remote access services over the next 3-6 months, driven by the ongoing shift to remote work and the increasing availability of exploit tools.

Appendix

<!DOCTYPE html><html><head><meta charset="UTF-8"><title>Unauthorized Key</title></head><body><p>This file contains an unauthorized SSH key.</p><pre>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4bl...[redacted]...IDAQABAAABAQC4bl user2@example.com</pre></body></html>

Assumptions & Data Gaps

• We assume that the payload sample is representative of the entire attack.
• Port information is missing from the original data, so we assumed standard SSH port usage.

References

• VirusTotal Sample

Protect your organization from sophisticated cyber threats with Sentry Global Intelligence & Consulting Group. Our expert team provides proactive security solutions tailored to your specific needs.

Request an Incident Readiness Review to ensure your organization is prepared to respond effectively to security incidents. Benefit from 24/7 Monitoring with Sentry365™ for continuous threat detection and response. Enhance your cybersecurity strategy with our vCISO Advisory services for expert guidance and support.