The number of malware campaigns designed to target and propagate through SSH machine identities is growing by the day. Since January this year, a new malware developed by the TeamTNT cybercrime gang is attacking misconfigured Kubernetes clusters. Once initial access is gained, the malware, dubbed Hildegard, attempts to spread over as many containers as possible through SSH and other machine identities and eventually launch a cryptominer.
TeamTNT specializes in attacking the cloud, specifically Docker API servers and Kubernetes instances, and deploying unique and rare credential-stealing worms within AWS using an SSH post-exploitation tool. It is also infamous for abusing the legitimate cloud-monitoring Weave Scope.
How SSH machine identities were used?
TeamTNT’s new malware campaign is targeting Kubernetes clusters via a misconfigured kubelet that allows anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempts to spread over as many containers as possible by stealing SSH machine identities and using them to propagate to other containers.
Hildegard searches for credential files on the host, as well as queries metadata for cloud-specific credentials. The identified credentials are sent back to the C2.
The searched credentials include:
- Cloud access keys
- Cloud access tokens
- SSH keys
- Docker credentials
- Kubernetes service tokens
How can Venafi help?
Using Venafi SSH Protect to manage your SSH machine identities, you can discover all SSH machine identities in the environment, who they belong to and what they are used for. This comprehensive visibility will help you maximize threat detection in encrypted traffic, maintain active control over SSH keys and centralize your machine identity governance and administration.
Once you have a complete inventory of your SSH machine identities, you should map all trust relationships and identify and remove any orphaned and duplicate authorized keys. You should also ensure passphrase protection, key length and algorithms. Furthermore, you should assign ownership of all access granting keys, and monitor and analyze key-based access usage.
Here’s a list of actions you should take to protect your SSH machine identities.
- Control SSH identities and authorized keys
- Control SSH configuration files and known hosts files to prevent any tampering
- Implement clearly defined SSH key management policies
- Define SSH hardening configurations
- Create inventory and remediation policy
- Establish continuous monitoring and audit process
- Automate the whole process