Article Details
Scrape Timestamp (UTC): 2024-02-21 19:04:08.267
Original Article Text
Click to Toggle View
New SSH-Snake malware steals SSH keys to spread across the network. A threat actor is using an open-source network mapping tool named SSH-Snake to look for private keys undetected and move laterally on the victim infrastructure. SSH-Snake was discovered by the Sysdig Threat Research Team (TRT), who describe it as a "self-modifying worm" that stands out from traditional SSH worms by avoiding the patterns typically associated with scripted attacks. The worm searches for private keys in various locations, including shell history files, and uses them to stealthily spread to new systems after mapping the network. SSH-Snake is available as an open-source asset for automated SSH-based network traversal, which can start from one system and show the relationship with other hosts connected through SSH. However, researchers at Sysdig, a cloud security company, say that SSH-Snake takes the typical lateral movement concept to a new level because it is more rigorous in its search for private keys. Released on January 4, 2024, SSH-Snake is a bash shell script tasked with autonomously searching a breached system for SSH credentials and utilizing them for propagation. The researchers say that one particularity of SSH-Snake is the ability to modify itself and make itself smaller when running for the first time. It does this by removing comments, unnecessary functions, and whitespace from its code. Designed for versatility, SSH-Snake is plug-and-play yet allows customizing for specific operational needs, including adapting strategies to discover private keys and identify their potential use. SSH-Snake employs various direct and indirect methods to discover private keys on compromised systems, including: Sysdig’s analysts confirmed SSH-Snake’s operational status after discovering a command and control (C2) server used by its operators to store data harvested by the worm, including credentials and victim IP addresses. This data shows signs of active exploitation of known Confluence vulnerabilities (and possibly other flaws) for initial access, leading to the deployment of the worm on these endpoints. According to the researchers, the tool has been used offensively on around 100 victims. Sysdig sees SSH-Snake as "an evolutionary step" as far as malware goes because it targets a secure connection method that is widely used in corporate environments.
Daily Brief Summary
The SSH-Snake malware operates as a self-modifying worm that maps networks and steals SSH keys to spread undetected.
Discovered by Sysdig's Threat Research Team, the malware stands out by not following the usual patterns associated with scripted SSH worms.
It searches for private keys across common locations, including shell history files, using them to move laterally across networks.
The open-source tool used by SSH-Snake is designed for automated SSH-based network traversal, showcasing the interconnectedness through SSH.
Released on January 4, 2024, SSH-Snake is a bash shell script capable of modifying itself to appear smaller, thus evading detection.
The malware allows for customization to suit operational needs, enhancing its ability to locate and utilize private keys.
A command and control server associated with SSH-Snake has been uncovered, revealing active exploitation of vulnerabilities and the harvesting of credentials.
Researchers estimate that approximately 100 victims have been affected, marking SSH-Snake as an evolutionary step in malware targeting corporate environments.