Referred to by some as the “Malware of 2019,” Trickbot has garnered a fair share of news coverage and, consequently, it has been analyzed by many security organizations. What makes this malware so dangerous and what are the lessons to be learned?
First, let’s take a look at the nature of the beast. Trickbot is dangerous because it evolves, spreads via multiple mechanism (email and network) and targets credentials (Mimikatz). The malware started originally as a Banking Trojan distributed via spear phishing email attachment with hidden script concealed by font coloring. This technique has been proven to be a successful one for adversaries and has resulted in hundreds of millions of clients being infected. The sophisticated malware even appears to be capable of stopping standard Microsoft Windows defense techniques.
What makes this malware especially interesting is that it searches for credentials stored in memory, including SSH keys used by tools like Putty—one of the 10 most popular tools for system administrators. Attackers can use these credentials as a backdoor to access critical assets and exfiltrate data again using the SSH protocol.
What are the lessons we should learn about privileged access from Trickbot?
- SSH credentials need to be protected
Credentials are the new prizes for adversaries. In particular, stolen SSH keys give attacker an array of opportunities to move lateral and exfiltrate data—all nicely built into the SSH protocol. Since SSH keys don’t expire and most organizations (even the most sophisticated banks) never change them, hackers can easily sell the credentials on the dark web or use them later in a deeper multi-staged attack.
- SSH visibility is critical
Adversaries always move to path of least resistance. Unfortunately for many businesses security teams have no clue when they’re Pwned. Without visibility over all the SSH keys in use across datacenter or cloud coupled with the automation needed to change them, these hacks and increasing theft of SSH keys will only continue. CISOs would find it insane not to have password change policies in place, unfortunately the same is not true for SSH machine identities.
- SSH requires proactive resiliency
As Trickbot evades malware protection like Windows Defender, a continuous proactive approach like scanning for SSK keys, monitoring for duplicate key usage, implementing SSH usage controls (eliminating port forwarding) and frequently replacing keys. This can have a big effect on the overall security posture of the enterprise environment and prevent further damage. Simply said, continuous monitoring, applying policies and even proactively replacing keys must be done for all credentials used by human or machine identities
The latest Trickbot is adept at stealing SSH keys. And while security teams have enforced password change policies and have spent billions on identity management for passwords, there’s little awareness about SSH keys and their dangers. SSH keys automate and have control over systems in the datacenter and the cloud. Stealing them gives hackers control and gives them the power to create long-term back doors.
According to Kevin Bocek, Venafi vice president of security strategy and threat intelligence, “Hackers are wising up to hidden gem: SSH machine identities given them master control businesses sensitive computers. Unfortunately for many businesses, Trickbot allows hackers to gain total control because of stolen SSH keys.”
Finding an SSH host is like finding the keys to the kingdom. How to strategize your cybersecurity response to protect your SSH key pairs from becoming bait for attackers. Click here to learn more about managing SSH keys.