Secure Shell (SSH) machine identities and user keys play a critical role in providing the highest level of privileged access. So, it’s no surprise that cybergangs and threat actors continue to target the cloud and unmanaged SSH machine identities. Recently we saw Hildegarde and Pro-Ocean using stolen or unmanaged SSH keys and a new report shows that unmanaged SSH keys are again, the prime target.
Researchers have identified a new Linux rootkit, dubbed Facefish, that targets Linux x64 systems to inject malicious code, hijack SSH servers and install a backdoor that can steal sensitive information as well as SSH credentials and keys. Unlike other SSH-targeting malware, Facefish doesn’t immediately use the resources to mine cryptocurrency or to pivot to other systems and likely compromises targets for sale to other cybercriminals to allow them to access the victim in the future.
How was Facefish discovered and what can it do?
Juniper Threat Labs observed an attack that attempted to inject malicious code into SSH. The attack begins with an exploit against the Control Web Panel (CWP) server administration web application, injects code and uses a custom, encrypted C2 protocol to exfiltrate credentials and machine capabilities.
NetLab reported that the attack is on the OpenSSH implementation of client/server. According to NetLab, Facefish first attempts to determine which processes are running on the machine and if the code is injected into ssh/sshd processes.
If a user logs on through SSH, Facefish executes a series of backdoor behaviors in order to steal the credentials and keys. If the sshd process exists, the backdoor process will exit and will start to periodically beacon to the command-and-control (C2) server to exfiltrate data, including a listing of system information such as CPU and OS details, amount of RAM, available disk space, OpenSSH configuration and credential data.
When a client session is created using SSH and connects to the machine, or when sshd passively receives an external connection, Facefish steals the login credentials and keys and sends them to the C2.
Juniper had a hard time determining the motivations behind the attack, but stated that the malware catalogs detailed system information and credentials but does not immediately mine cryptocurrency or amplify the attack by attempting to spread further and therefore is suspected that “access to the compromised machines will be sold or rented as part of a botnet.”
Here’s a list of actions you should take to protect your SSH machine identities
- Discover all SSH machine identities in your environment, who they belong to and what they are used for.
- Map all trust relationships and identify and remove any orphaned and duplicate authorized keys.
- Ensure passphrase protection, key length and algorithms.
- Assign ownership of all access granting keys and monitor and analyze key-based access usage.
- Define and implement clearly defined SSH key management policies and automate enforcement.
- Define SSH hardening configurations.
- Establish continuous monitoring and audit process.
How can Venafi help?
Using Venafi SSH Protect to manage your SSH machine identities, you can discover all SSH machine identities in the environment, identify who they belong to and what they are used for. This comprehensive visibility will help you maximize threat detection in encrypted traffic, maintain active control over SSH keys and centralize your machine identity governance and administration.
Here’s how Venafi SSH Protect helps you manage and secure your enterprise SSH keys and connections:
- Visibility: You can discover known and unknown SSH keys, understand the critical connections they enable, report on SSH key usage and identify potential risks.
- Intelligence: You’ll understand and mitigate risks related to existing SSH key setup, achieve compliance with risk management standards and frameworks and monitor usage for anomalies.
- Automation: You’ll be equipped to streamline and secure SSH key lifecycles and respond quickly to imminent threat events that may impact business-critical assets.
How well are you managing your SSH machine identities?