SSH and RDP provide remote server access (Linux and Windows respectively) for administration. Both protocols are vulnerable to brute-force attacks if strong passwords and access controls are not used.
Attackers scan exposed SSH ports (default 22) for unauthorized logins to gain server control. Once in, they can deploy malware, steal data, and use SSH to move laterally within a compromised network.
Hackers Exploit Linux SSH Services
Attackers scan for open port 22 (SSH) using port scanners and banner grabbers to identify potential targets. They then use SSH dictionary attack tools to try various username and password combinations from a wordlist to gain access to Linux systems.
Successful logins enable them to pilfer configuration data and potentially install malware to exploit additional vulnerable systems. Researchers detect these attacks by monitoring multiple login failures.
Attackers exploit weak SSH configurations to access systems. Once they compromise an initial server, malware like Kinsing can self-propagate by using stolen credentials to launch scans and dictionary attacks on other vulnerable machines.
This process enables attackers to extend their reach and potentially establish a network of infected devices for further malicious activities.
Security solutions can monitor SSH connections for suspicious commands, aiding administrators in identifying and halting such attacks before they propagate.
Kinsing malware uses SSH key-based authentication for lateral movement. Its “spre.sh” script extracts hostnames, ports, usernames, and key file locations from SSH configuration files and credential caches on infected systems.
Subsequently, it iterates through this data, attempting SSH logins with each key-user combination. Upon successful login, the script utilizes curl or wget to download and execute a malicious downloader script, further spreading Kinsing across the network.
ASEC outlines a data collection strategy to identify potential SSH propagation points, focusing on system files and processes containing usernames, SSH hostnames, and public key locations.
The collector searches for SSH configuration files (/.ssh/config), bash history (/.bash_history), system hosts file (/etc/hosts), known SSH hosts (/.ssh/known_hosts), and processes connected to port 22.
To identify users, it looks for private keys (*/id_rsa and /.bash_history) and public keys (/.ssh/config, */.bash_history, and *.pem), aiming to gather evidence of established SSH connections and credentials for potential spread across a network.
Malicious lateral movement attempts are identified by monitoring file access behavior, particularly instances where a file attempts to read both a system log file and an SSH key file.
This combination suggests potential malware trying to gather user login credentials from logs and then use SSH keys to spread to other machines on the network.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment