Unauthorized SSH Key Injection Attempt from China
Executive Summary
- SGI detected an attempt to inject an unauthorized SSH key on 2025-10-07.
- The activity originated from IP address 112.17.139.236, located in Ningbo, China.
- The likely objective is to gain unauthorized remote access to systems via SSH.
- Business risk is medium, potentially leading to data breaches, system compromise, and operational disruption.
Organizations should immediately review SSH key management practices to prevent unauthorized access.
Observed Activity (SGI Sensors)
| ObservedAt | SensorName | SourceIP | SourceASN | SourceGeo | Protocol/Port | PayloadPresence | Hash |
|---|---|---|---|---|---|---|---|
| 2025-10-07T08:58:21.227Z | 112.17.139.XXX | AS9808 | CN | tcp/ | Yes | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 |
On 2025-10-07, SGI sensors detected a suspicious connection originating from 112.17.139.236 (China Mobile Communications Group Co., Ltd.). The connection involved the transmission of a payload resembling an SSH authorized_keys file. The destination port was not specified, but the nature of the payload suggests an attempt to inject an unauthorized SSH key, potentially granting the attacker remote access to the targeted system. The presence of a malicious hash associated with this activity further confirms the threat.
Malware/Technique Overview
The detected malware family is identified as related to SSH authorized key manipulation. The initial access vector is likely brute-force or credential stuffing attacks targeting systems with exposed SSH services or default credentials. Successful injection of a malicious SSH key would allow the attacker to bypass traditional authentication mechanisms and gain persistent, unauthorized access to the compromised system.
- T1190 – Exploit Public-Facing Application
- T1078 – Valid Accounts
- T1098.004 – Account Manipulation: SSH Keys
- T1059.004 – Command and Scripting Interpreter: Unix Shell
VirusTotal Snapshot
VirusTotal analysis indicates that the detected file (SHA256: a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2) was identified as malicious by 29 out of 62 vendors. 33 vendors did not detect the file. Several aliases were associated with this sample, including variations of “authorized_keys” and file names redirecting to specific user directories. The VirusTotal reputation score is -34.
Indicators of Compromise (IoCs)
| Type | Value | Confidence | FirstSeen | Notes |
|---|---|---|---|---|
| ip | 112.17.139.XXX | medium | 2025-10-07T08:58:21.227Z | AS9808 China Mobile Communications Group Co., Ltd. |
| hash | a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 | high | 2025-10-07T08:58:21.227Z | SHA256 from VirusTotal |
These IoCs should be monitored for at least 90 days.
Detection & Hunting
Use the following queries to detect potential unauthorized SSH key modifications:
Splunk SPL
index=* source=*ssh* eventtype=syslog AND ("ssh-rsa" OR "ssh-dss" OR "ecdsa-sha2-nistp256" OR "ssh-ed25519") AND ("PubkeyAccepted" OR "Accepted publickey")
| table _time, host, user, src_ip, signature
Elastic/Kibana KQL
message:("ssh-rsa" OR "ssh-dss" OR "ecdsa-sha2-nistp256" OR "ssh-ed25519") AND message:("PubkeyAccepted" OR "Accepted publickey")
Wazuh/OSSEC Rule Idea
5710
sshd
Accepted publickey for .* from .* port .* ssh2: .*
Possible SSH Key Injection Attempt
T1098.004
Validate findings by checking for legitimate key rotations or authorized user activity. High false positives can occur in environments with frequent automated SSH key management.
Containment, Eradication & Recovery
- Isolate the affected system from the network to prevent further compromise.
- Block the source IP address (112.17.139.236) at the firewall.
- Scan the affected system with an updated antivirus and anti-malware solution.
- Reimage the affected system from a known good backup if necessary.
- Reset all user credentials on the affected system, especially SSH keys.
Notify IT and leadership about the incident. Preserve all relevant logs and artifacts for forensic analysis.
Hardening & Preventive Controls
- Implement Multi-Factor Authentication (MFA) for all SSH access (CIS Control 5, NIST CSF PR.AC-1).
- Regularly audit and rotate SSH keys (CIS Control 5, NIST CSF PR.AC-3).
- Use strong, unique passwords for all user accounts (CIS Control 5, NIST CSF PR.AC-3).
- Keep systems patched, including SSH daemons (CIS Control 3, NIST CSF PR.PT-1).
- Network segmentation to limit the blast radius (CIS Control 4, NIST CSF PR.AC-5).
- Principle of Least Privilege: Grant users only the necessary permissions (CIS Control 5, NIST CSF PR.AC-3).
- Disable SSH password authentication, relying solely on key-based authentication.
- Monitor SSH logs for suspicious activity.
Business Impact & Risk Outlook
A successful SSH key injection can lead to significant operational disruption, data breaches, and reputational damage. Legal and regulatory compliance may also be affected, depending on the type of data accessed. We anticipate an increase in SSH-related attacks targeting vulnerable systems in the coming months as attackers seek to exploit weak authentication practices.
Appendix
Assumptions & Data Gaps:
- The destination port of the connection is assumed to be port 22 (SSH).
- The complete payload is not available, only the hash.
- Sensor name is missing.
References:
Protect your organization from emerging threats with Sentry Global Intelligence & Consulting Group. Request an Incident Readiness Review today. Gain peace of mind with 24/7 Monitoring with Sentry365™. Leverage our expertise with vCISO Advisory services.