Cybercriminals are constantly looking for new ways to exploit systems and execute attacks. Attackers diligently look for misconfigurations and weak authentication methods in public-facing remote services. In particular, the number of attacks in the cloud that abuse SSH password-based authentication continues to grow at an alarming rate.
In many cases, lack of oversight and controls have led to violations of corporate access policies. This can result in dangerous backdoors that facilitate the launch of successful attacks through the otherwise trusted encrypted tunnels. Let’s take a closer look at the techniques threat actors use to exploit SSH keys, and ensure your network isn’t falling prey to any of these traps.
Exposing an application service to the internet is a common misconfiguration that allows access to an internal system from anywhere and acts as a common attack vector. Attackers can leverage external-facing remote services as a point of entry to an application hosted in the cloud, aiming to compromise the underlying instance.
Another less reported attack vector on applications with exposed SSH services is for an attacker to use compromised SSH keys and credentials. Attackers can gather SSH keys and credentials from source control, public repositories, or open buckets. They can also steal them from machines compromised in parallel or unrelated campaigns, or even purchase them on remote access markets where they are sold as-a-service.
Advanced persistent threat (APT) attacks typically use a combination of discovered machine identity vulnerabilities and malware that exploit weak or improperly managed machine identities to achieve their goals. A primary goal of an APT attack is to remain persistent on the victim’s network. SSH machine identities are extremely useful to attackers because they support and enable persistence, lateral movement and defensive evasion.
For example, one APT group was able to use a feature that allowed any user to trigger an SSH connection from the cloud provider to the managed server, with the SSH agent forwarding feature enabled. This allowed the attacker to relay authentication to any other server within the same cloud, achieving remote code execution (RCE) with root privileges.
In another recent attack, cybercriminals brute-forced an exposed SSH service to infect the host with a crypto-miner and used it as a launchpad for further large-scale attacks. In yet another incident, skilled attackers managed to get initial access on a Linux system through what appeared to be a brute-force attack on an exposed SSH service and moved from there to the on-premises network.
In APT attacks, cybercriminals use the following tools:
- SSH backdoors
Unfortunately, SSH can be used by both developers and attackers to ensure access to a server. Attackers who can compromise a machine can enable the SSH service to allow SSH communication and by that means establish persistence on the target. This backdoor access allows attackers to blend into legitimate traffic, avoid detection and pass through any firewalls that are in place.
Another common technique to establish persistence on a target where SSH service is enabled is to insert an attacker owned SSH public key to the authorized keys file on the server to create a backdoor that ensures remote connection to the server without notice.
- Legitimate SSH services
Attackers often use legitimate and preinstalled remote services with valid accounts on compromised machines to evade defense mechanisms. Attackers collect insecure machine identities from their targets and use them to establish SSH communication, bypass any access restrictions on traffic, and raise no suspicions or flag any security controls.
- SSH keys and “wormlike” malware
Many APT attacks are designed to steal and exfiltrate SSH keys and known hosts information to enable lateral movement to more and more systems.
In recent years, an increasing number of commodity malware has integrated the misuse of SSH machine identities into attacks. Campaigns such as crypto-mining, spam, adware and banking trojans are now equipped with SSH capabilities for credential theft, persistence and lateral movement. In most cases, the malware is used to add the attacker’s SSH key to the authorized keys file on the victim’s machine, enabling the attacker to remain persistent on the device. In other cases, the malware was able to brute-force weak SSH authentication on public-facing servers and gain access to the target, steal credentials and host information to laterally move across the network and infect further machines.
Create a strategy to prevent these vulnerabilities
Whether a threat is designed to gain initial access to a target machine through SSH, insert attacker-owned keys for persistence or collect SSH keys to laterally move like a “worm” across the network, malware is developed with machine identity in mind.
What does this mean? Your security strategies must also be developed with machine identities in mind! As the vulnerabilities outlined above demonstrate, neglecting to properly manage and protect your SSH machine identities is too big a risk to take.
Secure your SSH machine identities today with Venafi SSH Protect!