Threat actors abuse SSH credentials to gain unauthorized access to systems and networks.
SSH credential abuse provides a stealthy entry point for threat actors to compromise and control the targeted systems.
On January 4th, 2024, the Sysdig Threat Research Team discovered a network mapping tool dubbed SSH-Snake that was being used as a self-propagating worm.
The tool was found to be exploiting SSH credentials in its attempt to spread and infect other systems.
It hunts for credentials and shell history for its next targets, and currently, threat actors are actively using SSH-Snake malware.
Previous research uncovered a worm seeking SSH credentials to connect and repeat the process.
Analyse Shopisticated Malware with ANY.RUN. More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide.
The lateral movement of SSH-Snake is great in private key finding.
It is more efficient and successful than normal SSH worms.
SSH-Snake malware automates network traversal with discovered SSH private keys, mapping a network and dependencies.
A bash script that autonomously seeks SSH credentials on the system by logging into targets and replicating to repeat the process.
SSH-Snake self-modifies to shrink its size by removing comments, whitespace, and unnecessary functions for fileless operation.
SSH-Snake automates the laborious task of discovering SSH-connected systems, which allows saving time and effort.
On the current system, find any SSH private keys, On the current system, find any hosts or destinations that the private keys may be accepted, Attempt to SSH into all of the destinations using all of the private keys discovered, If a destination is successfully connected to, repeat steps #1 - #4 on the connected-to system.
This malware hunts various private key types on the target system using diverse methods.
It scans bash history for SSH-related commands by revealing the key locations and credentials.
Sysdig TRT found the C2 server of SSH-Snake deployers.
The server houses SSH-Snake's output for each target that helps in revealing victim IPs.
Detect SSH-Snake with default rules or craft new ones for better detection.
SSH-Snake enhances threat actor capabilities, enabling the exploitation of SSH keys that help evade static detection.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 23 Feb 2024 07:15:20 +0000