Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Threat Actors Quick to Abuse ‘SSH-Snake’ Worm-Like Tool

Threat actors are actively deploying the recently released self-replicating and self-propagating SSH-Snake worm.

Approximately 100 organizations have had their SSH credentials stolen using a recently released open source pentesting tool that has worm-like capabilities, cloud security firm Sysdig reports.

The tool, called SSH-Snake and developed by Australian security researcher Joshua Rogers, was released in January to enable automatic network traversal using SSH keys harvested from the local systems.

SSH-Snake, the developer says, is a Bash script intended to find SSH keys on systems and create a map of a network and its dependencies, the relationships between systems connected via SSH, and to which extent the network can be compromised using SSH keys.

The script also provides various features, settings, and outputs, and can be customized to search for private keys and the destinations they could be used for. It allows administrators to better understand their network and the option to print the identified private keys can also be disabled.

However, as Rogers points out, SSH-Snake is intended for hacking purposes and acts like a worm.

“It’s completely self-replicating and self-propagating — and completely fileless. In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can,” Rogers notes.

In fact, SSH-Snake’s main characteristics have already appealed to threat actors, who started using it in malicious attacks, and Sysdig has observed attackers exploiting Confluence vulnerabilities for initial access to corporate networks and deploying SSH-Snake to harvest credentials and move laterally.

The analysis of the attackers’ command-and-control (C&C) server has revealed that the information collected using SSH-Snake included credentials, IP addresses, and the bash history of the victims.

Advertisement. Scroll to continue reading.

“We are witnessing the victim list growing, which means that this is an ongoing operation. At the time of writing, the number of victims is approximately 100,” Sysdig says.

The cybersecurity firm also notes that SSH-Snake avoids detectable patterns associated with scripted attacks, offering increased stealth compared to other SSH malware. However, its activity can be identified using a runtime threat detection tool.

“SSH-Snake is an evolutionary step in the malware commonly deployed by threat actors. It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold,” Sysdig notes.

Responding to a SecurityWeek inquiry, Rogers pointed out that administrators can use SSH-Snake itself to determine if their networks are susceptible to compromise, and that organizations should invest more in proactive security than in being reactive to security incidents.

“I believe the focus on SSH-Snake being used by cyber terrorists is misdirected: it simply automates what a human can already do. Instead, the focus should be on organizations that refuse to take security seriously, and reward those that negligently build infrastructure which can be taken over with a simple shell script. There’s no secret sauce, tricks, or exploits utilized by SSH-Snake: it simply capitalizes on security mis-architecture.

At the moment, I’m not aware of the size of the infrastructures that have been breached (of the 100 organizations). It would be interesting to see how far the snake has slithered. If I was an organization that had been deeply compromised by SSH-Snake, I would look to security professionals to assist in a complete re-architecture of the systems, as the original architects would have clearly failed if their mission was to create a sane, resilient, and secure infrastructure.

For example, if an organization’s whole network can be seized by a someone running a single shell script, does this not indicate the lack of sanity in the creation of the infrastructure itself? I believe engineers should at least be held slightly accountable for their creations, much like bridges and buildings.

Luckily for infrastructure administrators worried about their network being taken over by my script, they have a handy tool that they can use to determine if their infrastructure is susceptible to attackers using SSH-Snake: SSH-Snake itself. For any infrastructure owners or maintainers worried about their systems being taken over by SSH-Snake, I implore them to utilize SSH-Snake themselves in their own infrastructure to discover the attack paths that exist – and fix them.”

*Updated with statement from Joshua Rogers

Related: Russia’s LitterDrifter USB Worm Spreads Beyond Ukraine

Related: P2PInfect: New Peer-to-Peer Worm Targeting Redis Servers

Related: Hunter-Killer Malware Tactic Growing: Stealthy, Persistent and Aggressive

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.