SSH keys are access credentials that grant access to servers without having to type a password. They are commonly used for automated machine-to-machine access for file transfers and integration of information systems. Unix and Linux system administrators use them every day.
Advanced malware and hackers have been collecting SSH keys for years. This is for a few reasons:
Once an attacker breaks into one server, it is highly likely that the attacker will find one or more private keys from that initial server. The attacker can then use these discovered private keys to login to other servers - typically more than one - and again find private keys from these servers. Repeating this quickly spreads the breach and exposes more and more of the target network.
Leveraging unmanaged SSH keys allows the attacker to establish and expand a foothold in the target networks, and an attack like this may quickly spread through almost the whole environment.
Once an attacker has gained root access, anything is possible. The attacker can modify the operating system, install malware into the BIOS or firmware (e.g., a form of virtualized rootkit), modify the operating system or any services running on it. The attacker can even damage the system and its data beyond repair by wiping the BIOS, hard drive firmware, and network adapter firmware. Root access typically gives the attacker total control of the system.
Even without root access, the attackers can read and modify any data accessible to the account(s) they have access to. For example, access to an Oracle database service account may grant direct read and modify access to the raw database files and to the memory of the database server process, bypassing all database-level logging, security controls, and integrity checks. This allows extracting data, subverting encryption, inserting fraudulent data, or damaging or destroying the database.
An attack that uses SSH keys to spread throughout an enterprise could take the target down for months. Or a country, if targeting its critical infrastructure.
Advanced malware and hackers have been collecting SSH keys for years. This is for a few reasons:
- The keys provide a long-term backdoor, and they can be used to spread the attack from one server to another - possibly across nearly all servers in an enterprise, including disaster recovery data centers and backup data centers.
- The keys often grant access to credit card payment environments and financial data environments in public companies.
- The keys commonly provide root or administrator access, thus allowing installation of malware, compromising of software, or even outright destruction.
Spreading Using SSH Keys
We have found that most large organizations have many times more SSH keys than they have servers or user accounts. For example, in one typical financial institution we found 3 million SSH keys granting access to 15,000 servers. That is an average of 200 keys per server.Once an attacker breaks into one server, it is highly likely that the attacker will find one or more private keys from that initial server. The attacker can then use these discovered private keys to login to other servers - typically more than one - and again find private keys from these servers. Repeating this quickly spreads the breach and exposes more and more of the target network.
Leveraging unmanaged SSH keys allows the attacker to establish and expand a foothold in the target networks, and an attack like this may quickly spread through almost the whole environment.
What Can Malware and Their Masters Do with the Keys and Access
Once the attackers are in possession of SSH keys that grant access to a system, they gain operating system level access to the system, typically a command line. In our analysis of real-life deployments, we have seen that roughly 10% of all SSH keys grant root access. For the attackers root privileges allow unrestricted access to all aspects of the system. In cases where the SSH keys allow non-root access, the attackers will typically attempt to combine local attacks, using vulnerabilities in software and/or operating system on the server, to escalate privileges to root.Once an attacker has gained root access, anything is possible. The attacker can modify the operating system, install malware into the BIOS or firmware (e.g., a form of virtualized rootkit), modify the operating system or any services running on it. The attacker can even damage the system and its data beyond repair by wiping the BIOS, hard drive firmware, and network adapter firmware. Root access typically gives the attacker total control of the system.
Even without root access, the attackers can read and modify any data accessible to the account(s) they have access to. For example, access to an Oracle database service account may grant direct read and modify access to the raw database files and to the memory of the database server process, bypassing all database-level logging, security controls, and integrity checks. This allows extracting data, subverting encryption, inserting fraudulent data, or damaging or destroying the database.
An attack that uses SSH keys to spread throughout an enterprise could take the target down for months. Or a country, if targeting its critical infrastructure.
How Hackers Gain Access to Intranet Even when Protected by Firewalls
Using SSH keys requires a TCP/IP connection to to the server. A common misconception is that the problem would not be so serious in the internal networks as it is on the public Internet. This is a false assumption for a couple of reasons:- Attackers are often already inside the protected network (either in person, via a connection, or using malware). There have been many cases where SSH keys have been stolen, sold, or misused by employees.
- Attackers commonly leverage port forwarding. Most firewalls are unable to prevent this, and those that do, have very limited functionality.
