The Sysdig Threat Research Team (TRT) discovered that a threat actor is leveraging an open-source network mapping tool called SSH-Snake for malicious activities. This tool utilizes SSH credentials found on the compromised systems to propagate itself across networks.
Released on January 4, 2024, SSH-Snake is a bash shell script engineered to autonomously search breached systems for SSH credentials and leverage them for propagation. One notable feature of it includes the capacity for self-modification and size reduction during initial execution, achieved by removing comments, redundant functions, and whitespace from its code.
SSH-Snake Hunts for Private Keys
Following an intrusion, attackers often employ a common strategy: lateral movement, where they seek out additional targets within the system. SSH-Snake takes this lateral movement to the next level by meticulously hunting for private keys. This self-modifying worm is more effective and successful than normal SSH worms because it avoids the characteristics that are easily recognized in scripted attacks and instead offers better stealth, flexibility, configurability, and thorough credential discovery.
The worm is designed to find SSH keys in various locations, including shell history files, creating a map of a network and its dependencies. After mapping the network, it determines potential vulnerabilities exploitable via SSH and SSH private keys from a specific host.
Employing a myriad of direct and indirect methods, SSH-Snake finds private keys on compromised systems by:
- Searching common directories and files where SSH keys and credentials are typically stored, such as .ssh directories and config files.
- Parsing shell history files (e.g., .bash_history, .zsh_history) to identify commands (ssh, scp, rsync) referencing SSH private keys.
- Utilizing the ‘find_from_bash_history’ feature to parse bash history for SSH-related commands, uncovering direct references to private keys and associated credentials.
- Analyzing system logs and network cache (ARP tables) to pinpoint potential targets and gather information leading to private key discovery.
Conclusion
SSH-Snake leverages SSH keys to spread across networks and its fileless nature makes it challenging to detect. According to researchers, it has been employed offensively against approximately 100 victims. The discovery of malicious utilization of SSH-Snake shows an “evolutionary step” in malware development, targeting a widely used secure connection method prevalent in enterprise environments. To identify such attacks, runtime threat detection tools like Sysdig Secure or Open Source Falco can be employed.
Discover how attackers target poorly secured Linux SSH servers.
The sources for this article include a story from BleepingComputer.
The post New SSH-Snake Worm-Like Tool Threatens Network Security appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/new-ssh-snake-worm-like-tool-threatens-network-security/
Rohan Timalsina Cyber Threats, Cybersecurity, cybersecurity defense strategies, cybersecurity threats, Cybersecurity Weaknesses, enterprise security, Linux & Open Source News, open source, self-modifying worm, SSH malware, ssh private keys, SSH security, SSH-Snake, SSH-Snake malware, SSH-Snake worm, Sysdig Threat Research Team