Executive Summary

• SGI sensors detected a file modification attempt targeting SSH authorized keys files.
• Successful modification could grant attacker persistent, passwordless SSH access to affected systems.
• The likely objective is unauthorized system access and potential lateral movement within the network.
• Business risk is high due to potential data breach, system compromise, and operational disruption.
• Expect threat actors to continue targeting SSH keys as a low-effort, high-reward initial access vector.

Observed Activity (SGI Sensors)

An alert was triggered by SGI sensors upon detecting a file modification event potentially related to an SSH authorized key file. The activity originated from IP address 52.187.9.8, associated with Microsoft Corporation (AS8075) in Singapore. The detected payload contained a potentially malicious or unauthorized SSH public key, suggesting an attempt to gain unauthorized access to a system. Further investigation is required to determine the extent of the compromise and identify affected systems.

Malware/Technique Overview

The detected activity is associated with the “authorized_keys” malware family, indicating an attempt to inject unauthorized SSH public keys into the authorized_keys file of user accounts. This technique allows attackers to bypass password authentication and gain direct SSH access to the compromised system.

• T1190 – Exploit Public-Facing Application: Attackers might leverage vulnerabilities in publicly accessible applications to gain initial access and then modify authorized SSH keys.
• T1078.003 – Valid Accounts: Local Accounts: Attackers may target local accounts to modify authorized SSH keys for persistent access.
• T1059.004 – Command and Scripting Interpreter: Unix Shell: Attackers often use shell scripts to automate the process of modifying authorized SSH keys.
• T1556.002 – Modify Authentication Process: SSH Keys: The primary technique observed is the modification of SSH keys to gain unauthorized access.

VirusTotal Snapshot

VirusTotal analysis indicates a high level of suspicion, with 29 vendors flagging the sample as malicious and 33 vendors reporting it as undetected. The file has been identified under several aliases including “authorized_keys” and various timestamped redirects to .ssh/authorized_keys paths. This suggests repeated targeting of this file across multiple systems. The overall reputation score is -34, confirming the malicious nature of the file.

• VirusTotal Sample

Indicators of Compromise (IoCs)

These IoCs should be monitored for at least 90 days.

Detection & Hunting

Splunk SPL

index=* sourcetype=ossec_alerts rule.description="File integrity monitoring alert" path="*/.ssh/authorized_keys" src_ip="52.187.9.XXX" | table _time, src_ip, path, user

Elastic/Kibana KQL

event.category:"file" and file.path:"*/.ssh/authorized_keys" and source.ip:"52.187.9.XXX"

Validating true positives requires examining the modified authorized_keys file for unfamiliar or suspicious SSH keys. False positives can occur due to legitimate administrative changes. Investigate any matches for unexpected activity.

Containment, Eradication & Recovery

1. Isolate Affected Systems: Immediately disconnect any potentially compromised systems from the network to prevent further lateral movement.
2. Block Malicious IP: Add the malicious IP address (52.187.9.8) to your firewall blocklist.
3. Scan for Unauthorized Keys: Perform a thorough scan of all systems for unauthorized modifications to authorized_keys files.
4. Reimage Compromised Systems: If a system is confirmed to be compromised, reimage it from a known good backup.
5. Reset Credentials: Reset passwords for all user accounts that may have been affected.

Inform relevant IT and leadership teams about the incident and the steps being taken. Preserve all logs and relevant data for forensic analysis.

Hardening & Preventive Controls

• Implement Multi-Factor Authentication (MFA) (NIST CSF PR.AC-1, CIS Control 6): Enforce MFA for all SSH access to prevent unauthorized logins.
• Tune Endpoint Detection and Response (EDR) Systems (NIST CSF DE.CM-1, CIS Control 8): Configure EDR solutions to monitor for file integrity changes in critical system directories.
• Implement Network Segmentation (NIST CSF PR.AC-3, CIS Control 4): Segment the network to limit the impact of a potential breach.
• Enforce Least Privilege (NIST CSF PR.AC-4, CIS Control 5): Grant users only the necessary permissions to perform their tasks.
• Establish Patch Management SLAs (NIST CSF PR.PT-1, CIS Control 7): Ensure that all systems are patched promptly to address known vulnerabilities.
• Disable Password Authentication: Where possible, disable password authentication for SSH and rely solely on key-based authentication.

Business Impact & Risk Outlook

A successful SSH key compromise can lead to significant operational disruption, data breaches, and reputational damage. Legal and regulatory compliance may also be affected depending on the sensitivity of the data accessed. Expect attackers to continue targeting SSH keys, as it provides a stealthy and persistent method of access. Monitoring for anomalous activity around SSH keys and implementing robust security controls are essential for mitigating this risk.

Appendix

Assumptions & Data Gaps

• We assume that the provided SHA256 hash represents the content of a modified authorized_keys file or script intended to modify it.
• Sensor name and network port were not provided in the input.

References

• VirusTotal Sample

SGI is committed to providing comprehensive threat intelligence and security solutions. To enhance your organization’s security posture, consider the following services:

• Request an Incident Readiness Review
• 24/7 Monitoring with Sentry365™
• vCISO Advisory