New SSH-Snake malware steals SSH keys to spread across the network (www.bleepingcomputer.com)

submitted 9 months ago by kid@sh.itjust.works to c/cybersecurity@sh.itjust.works

4 comments fedilink hide all child comments

SSH-Snake, a network mapping tool, has been adapted by hackers to stealthily find and use private SSH keys for lateral movements in targeted networks. Identified by Sysdig as a self-altering worm, it diverges from standard SSH worms by avoiding predictable attack patterns. Launched on January 4, 2024, it's a bash script that self-modifies to minimize detection, scanning directories, shell histories, and system logs to find SSH credentials. Sysdig confirmed its use after detecting a C2 server storing data from around 100 victims, indicating the exploitation of Confluence vulnerabilities for access. SSH-Snake represents a significant evolution in malware, exploiting the widely used SSH protocol in businesses.

you are viewing a single comment's thread
view the rest of the comments

[-] IphtashuFitz@lemmy.world 2 points 9 months ago

SSH keys should always have paraphrases.

[-] ElderWendigo@sh.itjust.works 2 points 9 months ago* (last edited 9 months ago)

At the very least keys without passphrases (such as for automated tasks) should restrict what commands can be run, should not give access to an interactive shell, and should go to a very specific user with as little file system access as is necessary to do the task. If an automated ssh task is giving access to the places you put your private keys and bash history, you're probably doing something very wrong.

this post was submitted on 22 Feb 2024

73 points (95.1% liked)

Cybersecurity

5759 readers

48 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social