A menace actor is utilizing an open-source community mapping instrument named SSH-Snake to search for non-public keys undetected and transfer laterally on the sufferer infrastructure.
SSH-Snake was found by the Sysdig Threat Research Team (TRT), who describe it as a “self-modifying worm” that stands out from conventional SSH worms by avoiding the patterns usually related to scripted assaults.
The worm searches for personal keys in varied areas, together with shell historical past recordsdata, and makes use of them to stealthily unfold to new methods after mapping the community.
SSH-Snake is available as an open-source asset for automated SSH-based community traversal, which may begin from one system and present the connection with different hosts linked by means of SSH.
However, researchers at Sysdig, a cloud safety firm, say that SSH-Snake takes the standard lateral motion idea to a brand new stage as a result of it’s extra rigorous in its seek for non-public keys.
Released on January 4, 2024, SSH-Snake is a bash shell script tasked with autonomously looking out a breached system for SSH credentials and using them for propagation.
The researchers say that one particularity of SSH-Snake is the flexibility to switch itself and make itself smaller when operating for the primary time. It does this by eradicating feedback, pointless features, and whitespace from its code.
Designed for versatility, SSH-Snake is plug-and-play but permits customizing for particular operational wants, together with adapting methods to find non-public keys and determine their potential use.
SSH-Snake employs varied direct and oblique strategies to find non-public keys on compromised methods, together with:
- Searching by means of widespread directories and recordsdata the place SSH keys and credentials are usually saved, together with .ssh directories, config recordsdata, and different areas.
- Examining shell historical past recordsdata (e.g., .bash_history, .zsh_history) to search out instructions (ssh, scp, and rsync) which will have used or referenced SSH non-public keys.
- Using the ‘find_from_bash_history’ characteristic to parse the bash historical past for instructions associated to SSH, SCP, and Rsync operations, which may uncover direct references to personal keys, their areas, and related credentials.
- Examining system logs and community cache (ARP tables) to determine potential targets and collect data that may not directly result in discovering non-public keys and the place they can be utilized.
Sysdig’s analysts confirmed SSH-Snake’s operational standing after discovering a command and management (C2) server utilized by its operators to retailer knowledge harvested by the worm, together with credentials and sufferer IP addresses.
This knowledge exhibits indicators of lively exploitation of identified Confluence vulnerabilities (and presumably different flaws) for preliminary access, resulting in the deployment of the worm on these endpoints.
(Sysdig)
According to the researchers, the instrument has been used offensively on round 100 victims.
Sysdig sees SSH-Snake as “an evolutionary step” so far as malware goes as a result of it targets a safe connection methodology that’s extensively utilized in company environments.
