Secure Shell (SSH) provides an authenticated connection between two machines, enabling encrypted data communications and remote command execution.
SSH machine identities, also known as SSH keys, control workloads running in cloud computing environments, data center operations, critical infrastructure, VPN connections and more. In addition, SSH keys provide privileged access to critical systems like servers and databases.
SSH keys are incredibly lucrative targets for attackers and they are often involved in data breaches. In early May, popular online hosting company, GoDaddy, announced they were hit by a data breach that impacted 28,000 users’ SSH credentials. The breach took place in October 2019, and GoDaddy sent affected customers the following message:
“We recently identified suspicious activity on a subset of our servers and immediately began an investigation. The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account.”
“This breach underlines just how important SSH security is,” says Yana Blachman, threat intelligence specialist at Venafi. “SSH is used to access an organization’s most critical assets, so it’s vital that organizations stick to the highest security level of SSH access and disable basic credential authentication and use machine identities instead.”
Blachman recently analyzed a variety of malware campaigns to see how bad actors used SSH in their attacks. Until recently, only the most sophisticated, well-financed Advanced Persistent Threats (APT) were using SSH. Now, it seems that there is a ‘trickle-down’ effect, where SSH capabilities are becoming part of “off-the-shelf” commodity malware.
As SSH attacks and data breaches become more common, organizations must protect themselves. “This involves implementing strong private-public key cryptography to authenticate a user and a system,” continues Yana. “Alongside this, organizations must have visibility over all their SSH machine identities in use across the datacenter and cloud, and automated processes in place to change them. SSH automates control over all manner of systems, and without full visibility into where they’re being used, cyber attackers will continue to target them.”
How do you protect against SSH abuse?