A new document dump by WikiLeaks contains two tools presumably used by the U.S. Central Intelligence Agency to steal targets' Secure Shell (SSH) keys. With these utilities now available online, it's more important than ever for companies to implement strong SSH key management.
In early July, WikiLeaks published a new round of documents for "Vault 7," its ever-evolving series of leaks pertaining to the CIA. This batch exposed the details of two hacking tools designed to target machines running Linux or Windows. Both utilities are capable of stealing SSH credentials, information which an unauthorized actor could leverage to gain remote access to business-critical systems and assets.
The first tool, known as BothanSpy, infiltrates the SSH, TELNET, and RLOGIN Windows emulator XShell. Once it's hooked into that program, BothanSpy abuses that access to steal user credentials for active SSH sessions. At that point, it either exfiltrates the data to a remote server or stores it as an encrypted file on a disk.
Those credentials targeted by BothanSpy include usernames, passwords, and details associated with the SSH keys for each SSH session.
The second SSH-stealer exposed by WikiLeaks is called Gyrfalcon. To use this utility, an attacker must first acquire root privileges on a machine running Ubuntu, Debian, or another Linux platform. They can then load the tool and use it to steal the same information targeted by BothanSpy along with full or partial session traffic generated by the OpenSSH client. Gyrfalcon saves all this information locally as an encrypted file, allowing an attacker to exfiltrate the data at a later date.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, says the disclosure of BothanSpy and Gyrfalcon points to a worrying trend:
"Whether it's the CIA or NotPetya in Ukraine, considered by many a Russian cyber operation, nation states are seeking the most sensitive machine identities that can be used to surveil and potentially knock out businesses and governments. Many businesses – banks, retailers, transportation – that might not have considered themselves as targets, may now have to revise their thinking."
As part of their growing scope, attackers are going after and abusing SSH keys for malicious purposes. For instance, hackers used a backdoor created with the insertion of a Russian SSH key to turn off parts of Ukraine's power grid in December 2015. Ukrainian cyberpolice no doubt considered his type of exploit before it recently urged businesses to change out their machine identities controlling authentication and encryption following the NotPetya outbreak
But following the Ukrainian cyberpolice's warning isn't always easy. As Bocek explains:
"Unfortunately, almost all businesses, including the world’s largest banks, retailers and transportations companies, have no idea what is happening with their machine identities – like TLS digital certificates and SSH keys. They also have no means to respond to weaknesses and change out vulnerable machine identities. This increases the likelihood of broader chaos – not just in the Ukraine but in Europe and North America."
To know what's happening with their machine identities, businesses need to implement strong SSH key management. That effort begins with discovering all keys and certificates in their encryption environments. Once they have a comprehensive encryption inventory, organizations can then monitor their SSH keys and other assets for misuse.