Cyber experts at Venafi have found sophisticated backdoor malware techniques, that were used to cripple Ukrainian power stations in 2015, being deployed more widely by the black hat community.
The malware behavior
The malware specifically targets SSH keys designed to secure remote commands for communications between machines.
Such techniques have been tested and verified over the past year by TrickBot, cryptomining campaign CryptoSink, Linux Worm, and Skidmap, security experts noted. However, the backdoor SSH server used by the BlackEnergy gang, that attack caused mass power outages in parts of Ukraine, had far beyond capabilities.
Commoditization of SSH Keys
SSH keys are one of the most critical components in today’s remote user authentication system, hence a potent weapon in the wrong hands.
Yana Blachman, threat intelligence specialist at Venafi told that “Until recently, only the most sophisticated, well-financed hacking groups had this kind of capability. Now, we’re seeing a ‘trickle-down’ effect, where SSH capabilities are becoming commoditized.”
She further added that, with commoditization of SSH keys, attackers will attempt to monetize for the backdoor they accessed by selling it through dedicated channels to more sophisticated and sponsored attackers including nation state threats.
In a similar case, the TrickBot gang were seen selling “bot-as-a-service” to North Korean hackers.
Organizations need to have a clear visibility of how their systems are running and provide protection for all authorized SSH keys in the enterprise to prevent them being hijacked. Their security infrastructure must withstand attempts by attackers to insert their own malicious SSH machine identities into systems by blocking those immediately.