Our Security Partner, Jisc has seen a rise in compromised hosts and networks via globally exposed SSH services. In particular, a trend has been spotted with attacks on Linux servers by leveraging misconfigured SSH, which is often used to facilitate crypto-miners, spread malware, and orchestrate other malicious activity. 
 
However, in recent months we have also seen SSH used by threat actors in more lucrative ways. Including but not limited to: data exfiltration, credential stealing, lateral movement, brute force attacks, and facilitating back door access. 
 
Some examples of successful malware campaigns which leverage SSH capabilities are: 
 

• TrickBot. TrickBot has SSH key-grabbing capabilities for both PuTTY (SSH client for Microsoft) and OpenSSH. In addition to targeting keys, the malware is designed to look for Hostname and Username information for lateral movement and has been known to drop other malware including ransomware.  
   
• CryptoSink. This cryptomining campaign exploits a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems on both Windows and Linux platforms to mine XMR cryptocurrency. CryptoSink creates a backdoor to the targeted server by adding the attacker’s public key to the authorized_keys file on the victim’s machine. 
   
• Linux Worm. This worm targets vulnerable Exim mail servers on Unix-link systems to deliver Monero cryptominers. The worm creates a backdoor to the server by adding the attacker’s public key to the authorized_keys file and enabling the SSH server if it has been previously disabled. 
   
• Skidmap. This kernel-mode rootkit gains backdoor access to a targeted machine by adding the attacker’s public SSH key to the authorized_keys file. Skidmap uses exploits, misconfigurations, or exposure to the internet to gain root or administrative access to the system and drop cryptomining malware. 
   
  Other campaigns include Dota, Kerberods, and MacOS Bundlore. 

Why is this important? 

SSH is often used to facilitate remote connections and automate processes within networks, more often than not, this service grants privileged access to an organisation’s most critical systems, including servers and databases. Making this a highly valuable target to attackers.

How to protect against SSH abuse? 

• Evaluate how many hosts and services utilise SSH, and have this exposed globally. Where possible, this service should be controlled by ACL’s and locked down so only approved source networks can connect. 
   
• Protecting any remote authentication with MFA is always recommended, and securing SSH access behind a VPN tunnel is also an option to consider.  
   
• To further improve on this, it is recommended to have complete visibility over every authorized SSH key used by the organisation. It is worth noting attackers may not only abuse existing machine identities, but they may also insert their own SSH machine identities into target environments.  

Questions:

If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk