Researchers continue to uncover new malware targeting SSH machine identities on Linux and Unix-based platforms every day. A recent new research by ESET unveils the details of a new multi-platform backdoor dubbed Kobalos, targeting Linux, FreeBSD, Solaris, and possibly AIX and Windows as well. The backdoor is designed to steal SSH machine identities and propagate through SSH.
The targets of Kobalos were in Europe, North America, and Asia and included high profile servers in academia (including high-performance computers), an endpoint security vendor, and a large ISP.
ESET researchers discovered an SSH machine identity stealer on compromised machines. It is plausible that the backdoor replaced the /usr/bin/ssh file with a modified executable—a trojanized OpenSSH client—that recorded SSH credentials and keys and target hostname and wrote them to an encrypted file.
According to the report, this may be one of the ways Kobalos propagates and can explain how numerous interconnected academic networks were compromised.
How can Venafi help?
Using Venafi SSH Protect to manage your SSH machine identities, you can discover all SSH machine identities in the environment, who they belong to and what they are used for. This comprehensive visibility will help you maximize threat detection in encrypted traffic, maintain active control over SSH keys and centralize your machine identity governance and administration.
Once you have a complete inventory of your SSH machine identities, you should map all trust relationships and identify and remove any orphaned and duplicate authorized keys. You should also ensure passphrase protection, key length and algorithms. Furthermore, you should assign ownership of all access granting keys, and monitor and analyze key-based access usage.
Here’s a list of actions you should take to protect your SSH machine identities.
- Control SSH identities and authorized keys
- Control SSH configuration files and known hosts files to prevent any tampering
- Implement clearly defined SSH key management policies
- Define SSH hardening configurations
- Create inventory and remediation policy
- Establish continuous monitoring and audit process
- Automate the whole process