A new, sophisticated type of open-source malware has slithered its way into the headlines: SSH-Snake.
Released on GitHub in January 2024, SSH-Snake is a “powerful tool designed to perform automatic network traversal using SSH private keys,” with the goal to create a thorough network map and identify how severely a network could be compromised using SSH credentials, according to the tool’s README file.
But what was meant to be a legitimate tool for penetration testers and system admins to track down SSH keys and reinforce defenses on critical systems, SSH-Snake is now favored by threat actors, who are already exploiting known vulnerabilities, specifically in Confluence and Apache Active MQ systems, in order to gain access and deploy the malware. Although the attack isn’t necessarily exclusive to these targets, they do make up the current majority.
So far, the list of victims has climbed to about 100, but it continues to grow due to SSH-Snake’s unique, and stealthy, composition, not to mention the fact that many organizations don’t have complete visibility and control over their SSH credentials.
CIO Study: CIOs Massively Underestimate SSH Risks - 300% Growth in SSH Malware
What’s so unique about SSH-Snake?
As mentioned in the title of this article, SSH-Snake is a self-modifying, self-replicating type of malware. And it’s a dangerous one, because it targets Secure Shell (SSH) machine identities, which are a ubiquitous method of securing machine-to-machine connections for devices and systems like app servers, routers, firewalls, virtual machines and cloud environments.
What does this all mean for enterprise security, exactly? Let’s focus on the self-modifying aspect first.
Self-modification
Upon its first runtime, SSH-Snake can make itself smaller, removing any code comments, unneeded functions and extraneous whitespace. In so doing, SSH-Snake avoids the typical patterns of scripted attacks, and offers adversaries greater “stealth, flexibility, configurability and more comprehensive credential discovery.”
As a result, the malware becomes completely fileless and nearly undetectable, even with a beginning file size of 1,200+ lines.
Self-replication
Befitting its herpetological namesake, SSH-Snake operates as a worm. Each time it gains access to a new system, it copies itself and repeats the hunt for SSH keys, and the operation doesn’t terminate until it reaches the end of a system or can no longer find any SSH credentials.
SSH-Snake is also device-agnostic, and completely customizable, as Sysdig reports.
A more detailed look at how SSH-Snake works
After being deployed on an initial system, SSH-Snake performs autonomously. Once the tool discovers an SSH credential, it will make a login attempt on the target system—and continue doing so through every connection to map the network.
SSH-Snake uses several methods to seek out keys, even reading and parsing sources of information that contain vital information about key locations, credentials and targets. From there, the tool can provide outputs of victim IP addresses, SSH credentials and bash histories. Threat actors can also use this information to inform future cyber attacks.
For a more technical deep dive into SSH-Snake’s capabilities, head over here.
How SSH machine identity management can help you avoid falling prey to SSH-Snake
SSH keys are used throughout enterprise environments to authenticate admins and machines for critical business functions. They can, and often do, grant root access to both systems and data.
But with so many SSH keys in rotation, it can be difficult for businesses to tightly control their use of these credentials. As a result, many struggle with key sprawl, lost credentials and missing security controls, which can lead to significant vulnerabilities on mission-critical systems.
Case-in-point: SSH-Snake. A lack of control over where SSH keys are used, how they’re used and by whom could further exacerbate the problems inherent with this new malware.
To combat these issues, maintaining comprehensive visibility over all machine identities in the enterprise becomes vital. This includes SSH credentials. With SSH machine identity management, companies can automate lifecycles, including issuance, revocation and renewal (as SSH keys never expire); make rapid bulk replacements in the case of widescale vulnerabilities and define and enforce policies to better protect enterprise systems.
Additionally, to keep up with enterprise scale—with some large businesses using SSH protocol across 1,000 systems or more—organizations need a single, unified platform to manage all types of machine identities across environments and teams.
Otherwise, without centralized oversight, every single SSH key in an organization has the potential to become a breach point.
“Evolutionary” malware requires revolutionary security
Sysdig has described SSH-Snake as an “evolutionary step” in malware advancement, but with careful orchestration of SSH credentials, organizations can avoid falling victim to this novel attack vector.
This isn’t the first time threat actors have taken advantage of a defense tool (Cobalt Strike is still a common tool for ransomware operations), but these unfolding developments display a pressing need for unified machine identity management.
And there’s no solution better equipped for that task than the Venafi Control Plane for Machine Identities. To learn more about how Venafi can help your organization secure all types of machine identities—regardless of type, number, or use case—read our Control Plane overview.
Why Do You Need a Control Plane for Machine Identities?
Related posts