The cost of poorly protected device identities has long been assumed, but not proven, to be large. Specification of the part played by SSH abuse within a breach report is rare despite compromised machine identities being used by attackers to hide their malicious activity, evade security controls and steal a wide range of confidential data.
Now risk modeling and data analytics specialist AIR Worldwide has applied its expertise to assessing the cost of poorly protected device credentials. In a report sponsored by cryptographic key and digital certificate management firm Venafi, AIR Worldwide suggests the cost to U.S. business is between $15 billion and $21 billion; or between 9% to 13% of the total U.S. economic loss caused by cyber events (estimated to be $163 billion).
AIR and Venafi refer to devices as “machine identities” in the report.
“When machine identities are poorly managed and weakly protected,” warns the report (PDF), “they become prime targets for cyber attackers who can use them to gain and maintain unauthorized access to network assets and data, impersonate trusted machines and applications, hide malicious activities and exfiltrate stolen data while remaining undetected. Any of these activities by cyber attackers can result in economic damage to organizations.”
“Unfortunately,” comments Kevin Bocek, VP security strategy and threat intelligence at Venafi, “many businesses are relying on processes and techniques from over 20 years ago, which poorly protect machine identities and, as AIR Worldwide found, can result in billions of dollars of loses. Digital transformation is dependent on cloud, microservices and APIs, and all of this requires the authentication and privacy that machine identities provide. Cybercriminals understand that breaking this link means hitting the jackpot.”
The model used by AIR Worldwide to calculate its figures is complex, but described in detail within the report. It took its data sources from publicly reported historical cyber events; from firmographic information from all U.S. businesses providing name, sector, employee count and revenue; and from technographic data sets that provided information on technologies employed, the cyber supply chain, management of computer assets and security rating.
“AIR Worldwide’s estimates,” explains Venafi, “were obtained by combining cyber event data sets with assessments of upward of 100,000 firms’ performance in various areas of cybersecurity. It gave security ratings that assessed the management of cybersecurity, such as proper configuration and management of SSL/TLS certificates; user behavior, such as use of file-sharing services and protocols like torrent; and indicators of compromise, such as communications to botnet command and control servers.”
The cost of abused SSH keys to business is likely to get worse before it gets better. As digital transformation speeds up within businesses, more and more machines are being interconnected — and their communication is being protected by SSL/TLS encryption. The keys to that encryption are not, however being adequately protected.
“There’s an interesting human and cross functional dynamic in play here,” Kevin Bocek, VP security strategy and threat intelligence at Venafi, told SecurityWeek. “SSH is the domain of engineers and infrastructure teams that operate the vast army of virtual machine and cloud instances — not security teams. So, the SSH keys are in many ways a secret that the engineering teams have wanted to keep from security teams because the last thing you want as an engineer is to have an outsider controlling things. Security teams have a policy, and engineering teams don’t wish to be bound by it.”
Putting this in context, he added, “We worked with one airline and found more than 4 million SSH keys on its systems. They had no idea who had access or which machines many of the keys accessed despite them being used for really sensitive flight operations. We’ve been able to reduce that number to just a couple of hundred thousand.”
As business transformation proceeds, and enterprises have more and more machines communicating directly and unattended — including across the IT/OT boundary — the threat and cost of stolen SSH keys will only increase. “While investigating the attack surface against machine identities, especially SSH,” Yana Blachman, a threat intelligence expert at Venafi, told SecurityWeek, “I noticed that throughout 2019 there was a big increase in the exploitation of SSH keys. Threat actors started adding SSH capabilities to existing commodity malware.”
Trickbot is a good example. “Last year, TrickBot added credentials-grabbing capabilities for both PuTTY (SSH client for Microsoft) and OpenSSH. In addition to targeting credentials, the malware is designed to look for hostname and username information for lateral movement,” says Venafi.
Other examples of the increasing bad actor search for and exploitation of machine identities can be found in CryptoSink (which creates a backdoor to the targeted server by adding the attacker’s public key to the authorized key file on the server); Linux Worm (which creates a backdoor to the server by adding its own SSH public key and enabling the SSH server, if it is disabled); and Skidmap (which gains backdoor access by adding the attacker’s public SSH key to the authorized key file).
“In the wrong hands,” Blachman said, “SSH keys will provide access to the most valuable assets and critical systems within an enterprise, including servers and databases. This makes them highly valuable to an attacker. Various different campaigns including spam and cryptomining campaigns and banking trojan campaigns have been using or adding SSH key stealing capabilities — as well as adding the attackers keys to the system to maintain persistence. In the past, SSH was largely used by APTs and nation state actors for persistence and lateral movement, but more recently this technique has trickled downward to the basic cybercriminal level.”
Once an SSH key has been stolen, it can be sold on the dark web as a backdoored system. Venafi expects to see a new dark web market selling SSH keys evolve, just as there already exists a market for stolen passwords and RDP keys. “One of the drawbacks,” added Bocek, “is that SSH keys do not expire. If you are an attacker and can steal one, you have the opportunity for a backdoor for a very long time.”
“SSH keys can dramatically increase attackers’ ability to cause harm, so any malware that allows them to leverage SSH capabilities should be a real concern to organizations,” added Blachman. “As these capabilities become increasingly accessible, it’s vital that organizations get their houses in order. The only way to defend against these attacks is to have visibility and intelligence on how SSH machine identities are being used, so that malicious actors can be detected faster.”