What is this about - the tech bit
Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency. Researchers at Dr.Web found a malicious cryptominer called Monero that is specifically designed for Linux machines.This shell script opens a backdoor for the attacker to execute commands. It is also designed to gain root shell access where it can monitor and steal users’ passwords when they execute su commands.
Why is this serious?
With found credentials, the attacker can pivot throughout the environment using the SSH protocol to find additional machines it can take control over as well. With pivoting, the attacker gains access to one server which can then provide the credentials needed to access additional servers within the environment. There are a couple of reasons why this is possible.
- SSH keys provide access to other servers in the infrastructure, depending on the configuration of the infected user’s SSH key. If the infected user has configured his or her SSH key to provide root access to another machine, the attacker can gain the same root level access to the target host.
- Connections established using SSH keys are encrypted making the attacker invisible inside the network.
- If the key is already inside your network, it might be considered legitimate by your security controls.
- By executing su commands, the attacker might be able to switch from one account to another to impersonate legitimate users.
Let’s say that original intention of the attack was to overtake system resources, such as processing power, which in turn will result in a sophisticated DDOS attack. But getting hold of an organization’s SSH keys gives the attacker access to much more than just system resources. Now with access to root and the credentials of other accounts, the attacker can also view and steal any data found on these hijacked Linux machines. Depending on the type of enterprise, this data can include credit card, health, insurance or any other highly sensitive or personally identifiable information.
How prevalent is the SSH protocol?
Pivoting using SSH is a serious threat in almost any organization, and is often very easy for a hacker to accomplish. Most organizations have SSH keys scattered about their environment which are intended for non-interactive usage, such as automated transfers, monitoring tools to run commands to gather metrics, as well as many other process-driven use cases. SSH keys are the perfect credential for such uses, but it also makes it a perfect credential for an attack. The application and system accounts that use these keys have some of the highest privileges on these machines, and most likely their SSH keys are not being properly managed. Based on our findings, big enterprises might have hundreds of thousands of keys that are unmanaged and untracked. That is a lot of attack surface to exploit for a bad actor if all you need is one SSH key to get the ball rolling.
Recommended steps to mitigate the risk
- Much like passwords and certificates, rotate and de-provision SSH keys when no longer needed.
- Use command and source restrictions: secure mechanisms that are built into SSH keys. These are very useful to limit the ability for a bad actor to use an SSH key for anything other than what it was intended for.
- Remove unused keys. Most organizations are adamant about removing any user accounts when an employee leaves or an application is removed, but there is almost never a process to remove any SSH keys tied to them.
Doing these things might not prevent an attacker from gaining access to a machine, but they will help in preventing the attack from becoming widespread.
This is not the first time that the SSH protocol has been targeted. Learn how GoScanSSH and Prowli attack enterprise servers.
We can also help you asses your SSH key security risks. It won’t take much of your time.