Threat actors exploit SSH credentials to gain unauthorized access to systems and networks, executing malicious activities by leveraging weak or compromised credentials.
The misuse of SSH credentials offers a covert entryway for threat actors to compromise and commandeer targeted systems.
On January 4th, 2024, the Sysdig Threat Research Team (TRT) unearthed a network mapping tool named SSH-Snake, deployed as a self-propagating worm.
The tool was discovered exploiting SSH credentials in its propagation, presenting a substantial threat to network security that requires careful handling.
It actively seeks out credentials and shell history to target its next victims, with threat actors presently leveraging the SSH-Snake malware.
SSH-Snake Malware
Following initial system access, attackers frequently employ lateral movement techniques to locate and access additional targets. Earlier studies have revealed a worm that actively seeks SSH credentials to establish connections and perpetuate its activities.
SSH-Snake excels in lateral movement, particularly in discovering private keys. Its ability to evade scripted attack patterns grants it stealthiness, flexibility, configurability, and superior credentials discovery capabilities. In comparison to typical SSH worms, it operates with higher efficiency and success rates.
The SSH-Snake malware streamlines network traversal using unearthed SSH private keys, meticulously mapping out network connections and dependencies.
An automated bash script independently scavenges SSH credentials from the system by logging into targets and perpetuating the process. These findings, however, significantly bolster threat actors’ ongoing operations.
SSH-Snake dynamically adjusts its size through self-modification, eliminating comments, whitespace, and redundant functions to facilitate fileless operations.
Originally, it assumes a larger form to accommodate enhanced functionality, operating on any device through self-replication while remaining fileless.
Automating the arduous process of SSH-connected system discovery, SSH-Snake conserves time and effort.
Below are the automated tasks performed by SSH-Snake:
- Search for SSH private keys on the current system.
- Identify potential hosts or destinations (user@host) where the private keys could be accepted.
- Attempt SSH connections to all identified destinations using the discovered private keys.
- If a successful connection is established, repeat steps #1 – #4 on the connected-to system.
The malware employs diverse methods to hunt for various types of private keys on the target system. It scans the bash history for SSH-related commands, thus exposing key locations and credentials.
Sysdig TRT identified the Command and Control (C2) server used by the perpetrators of SSH-Snake. This server stores SSH-Snake’s output for each target, aiding in the identification of victim IPs.
CNCF incubates Falco, providing real-time alerts for cloud-native anomalies. Users can deploy default or custom rules effortlessly, detecting SSH-Snake with default rules or crafting new ones for improved detection. SSH-Snake boosts threat actor capabilities by exploiting SSH keys to evade static detection.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment