Connect with us

Hi, what are you looking for?


Malware & Threats

Threat Actors Quick to Abuse ‘SSH-Snake’ Worm-Like Tool

Threat actors are actively deploying the recently released self-replicating and self-propagating SSH-Snake worm.

Approximately 100 organizations have had their SSH credentials stolen using a recently released open source pentesting tool that has worm-like capabilities, cloud security firm Sysdig reports.

The tool, called SSH-Snake and developed by Australian security researcher Joshua Rogers, was released in January to enable automatic network traversal using SSH keys harvested from the local systems.

SSH-Snake, the developer says, is a Bash script intended to find SSH keys on systems and create a map of a network and its dependencies, the relationships between systems connected via SSH, and to which extent the network can be compromised using SSH keys.

The script also provides various features, settings, and outputs, and can be customized to search for private keys and the destinations they could be used for. It allows administrators to better understand their network and the option to print the identified private keys can also be disabled.

However, as Rogers points out, SSH-Snake is intended for hacking purposes and acts like a worm.

“It’s completely self-replicating and self-propagating — and completely fileless. In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can,” Rogers notes.

In fact, SSH-Snake’s main characteristics have already appealed to threat actors, who started using it in malicious attacks, and Sysdig has observed attackers exploiting Confluence vulnerabilities for initial access to corporate networks and deploying SSH-Snake to harvest credentials and move laterally.

The analysis of the attackers’ command-and-control (C&C) server has revealed that the information collected using SSH-Snake included credentials, IP addresses, and the bash history of the victims.

Advertisement. Scroll to continue reading.

“We are witnessing the victim list growing, which means that this is an ongoing operation. At the time of writing, the number of victims is approximately 100,” Sysdig says.

The cybersecurity firm also notes that SSH-Snake avoids detectable patterns associated with scripted attacks, offering increased stealth compared to other SSH malware. However, its activity can be identified using a runtime threat detection tool.

“SSH-Snake is an evolutionary step in the malware commonly deployed by threat actors. It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold,” Sysdig notes.

Responding to a SecurityWeek inquiry, Rogers pointed out that administrators can use SSH-Snake itself to determine if their networks are susceptible to compromise, and that organizations should invest more in proactive security than in being reactive to security incidents.

“I believe the focus on SSH-Snake being used by cyber terrorists is misdirected: it simply automates what a human can already do. Instead, the focus should be on organizations that refuse to take security seriously, and reward those that negligently build infrastructure which can be taken over with a simple shell script. There’s no secret sauce, tricks, or exploits utilized by SSH-Snake: it simply capitalizes on security mis-architecture.

At the moment, I’m not aware of the size of the infrastructures that have been breached (of the 100 organizations). It would be interesting to see how far the snake has slithered. If I was an organization that had been deeply compromised by SSH-Snake, I would look to security professionals to assist in a complete re-architecture of the systems, as the original architects would have clearly failed if their mission was to create a sane, resilient, and secure infrastructure.

For example, if an organization’s whole network can be seized by a someone running a single shell script, does this not indicate the lack of sanity in the creation of the infrastructure itself? I believe engineers should at least be held slightly accountable for their creations, much like bridges and buildings.

Luckily for infrastructure administrators worried about their network being taken over by my script, they have a handy tool that they can use to determine if their infrastructure is susceptible to attackers using SSH-Snake: SSH-Snake itself. For any infrastructure owners or maintainers worried about their systems being taken over by SSH-Snake, I implore them to utilize SSH-Snake themselves in their own infrastructure to discover the attack paths that exist – and fix them.”

*Updated with statement from Joshua Rogers

Related: Russia’s LitterDrifter USB Worm Spreads Beyond Ukraine

Related: P2PInfect: New Peer-to-Peer Worm Targeting Redis Servers

Related: Hunter-Killer Malware Tactic Growing: Stealthy, Persistent and Aggressive

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.