Approximately 100 organizations have had their SSH credentials stolen using a recently released open source pentesting tool that has worm-like capabilities, cloud security firm Sysdig reports.
The tool, called SSH-Snake and developed by Australian security researcher Joshua Rogers, was released in January to enable automatic network traversal using SSH keys harvested from the local systems.
SSH-Snake, the developer says, is a Bash script intended to find SSH keys on systems and create a map of a network and its dependencies, the relationships between systems connected via SSH, and to which extent the network can be compromised using SSH keys.
The script also provides various features, settings, and outputs, and can be customized to search for private keys and the destinations they could be used for. It allows administrators to better understand their network and the option to print the identified private keys can also be disabled.
However, as Rogers points out, SSH-Snake is intended for hacking purposes and acts like a worm.
“It’s completely self-replicating and self-propagating — and completely fileless. In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can,” Rogers notes.
In fact, SSH-Snake’s main characteristics have already appealed to threat actors, who started using it in malicious attacks, and Sysdig has observed attackers exploiting Confluence vulnerabilities for initial access to corporate networks and deploying SSH-Snake to harvest credentials and move laterally.
The analysis of the attackers’ command-and-control (C&C) server has revealed that the information collected using SSH-Snake included credentials, IP addresses, and the bash history of the victims.
“We are witnessing the victim list growing, which means that this is an ongoing operation. At the time of writing, the number of victims is approximately 100,” Sysdig says.
The cybersecurity firm also notes that SSH-Snake avoids detectable patterns associated with scripted attacks, offering increased stealth compared to other SSH malware. However, its activity can be identified using a runtime threat detection tool.
“SSH-Snake is an evolutionary step in the malware commonly deployed by threat actors. It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold,” Sysdig notes.
Responding to a SecurityWeek inquiry, Rogers pointed out that administrators can use SSH-Snake itself to determine if their networks are susceptible to compromise, and that organizations should invest more in proactive security than in being reactive to security incidents.
“I believe the focus on SSH-Snake being used by cyber terrorists is misdirected: it simply automates what a human can already do. Instead, the focus should be on organizations that refuse to take security seriously, and reward those that negligently build infrastructure which can be taken over with a simple shell script. There’s no secret sauce, tricks, or exploits utilized by SSH-Snake: it simply capitalizes on security mis-architecture.
At the moment, I’m not aware of the size of the infrastructures that have been breached (of the 100 organizations). It would be interesting to see how far the snake has slithered. If I was an organization that had been deeply compromised by SSH-Snake, I would look to security professionals to assist in a complete re-architecture of the systems, as the original architects would have clearly failed if their mission was to create a sane, resilient, and secure infrastructure.
For example, if an organization’s whole network can be seized by a someone running a single shell script, does this not indicate the lack of sanity in the creation of the infrastructure itself? I believe engineers should at least be held slightly accountable for their creations, much like bridges and buildings.
Luckily for infrastructure administrators worried about their network being taken over by my script, they have a handy tool that they can use to determine if their infrastructure is susceptible to attackers using SSH-Snake: SSH-Snake itself. For any infrastructure owners or maintainers worried about their systems being taken over by SSH-Snake, I implore them to utilize SSH-Snake themselves in their own infrastructure to discover the attack paths that exist – and fix them.”
*Updated with statement from Joshua Rogers
Related: Russia’s LitterDrifter USB Worm Spreads Beyond Ukraine
Related: P2PInfect: New Peer-to-Peer Worm Targeting Redis Servers
Related: Hunter-Killer Malware Tactic Growing: Stealthy, Persistent and Aggressive